4.9-stable patches

added patches:
	usb-core-fix-out-of-bounds-access-bug-in-usb_get_bos_descriptor.patch
	usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch

diff --git a/queue-4.9/series b/queue-4.9/series
index 16c917c1cd9dbd7e627db7214bb41b9f81d1ba31..0896a64cc17b55f19ecf22969e9bfaf84b580bcd 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1 +1,2 @@
 usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch
+usb-core-fix-out-of-bounds-access-bug-in-usb_get_bos_descriptor.patch

diff --git a/queue-4.9/usb-core-fix-out-of-bounds-access-bug-in-usb_get_bos_descriptor.patch b/queue-4.9/usb-core-fix-out-of-bounds-access-bug-in-usb_get_bos_descriptor.patch
new file mode 100644 (file)
index 0000000..8bcdb2a
--- /dev/null
+++ b/queue-4.9/usb-core-fix-out-of-bounds-access-bug-in-usb_get_bos_descriptor.patch
@@ -0,0 +1,44 @@
+From 1c0edc3633b56000e18d82fc241e3995ca18a69e Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 18 Oct 2017 12:49:38 -0400
+Subject: USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream.
+
+Andrey used the syzkaller fuzzer to find an out-of-bounds memory
+access in usb_get_bos_descriptor().  The code wasn't checking that the
+next usb_dev_cap_header structure could fit into the remaining buffer
+space.
+
+This patch fixes the error and also reduces the bNumDeviceCaps field
+in the header to match the actual number of capabilities found, in
+cases where there are fewer than expected.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -955,10 +955,12 @@ int usb_get_bos_descriptor(struct usb_de
+       for (i = 0; i < num; i++) {
+               buffer += length;
+               cap = (struct usb_dev_cap_header *)buffer;
+-              length = cap->bLength;
+ 
+-              if (total_len < length)
++              if (total_len < sizeof(*cap) || total_len < cap->bLength) {
++                      dev->bos->desc->bNumDeviceCaps = i;
+                       break;
++              }
++              length = cap->bLength;
+               total_len -= length;
+ 
+               if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {

diff --git a/queue-4.9/usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch b/queue-4.9/usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch
new file mode 100644 (file)
index 0000000..4d9ebf9
--- /dev/null
+++ b/queue-4.9/usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch
@@ -0,0 +1,67 @@
+From 845d584f41eac3475c21e4a7d5e88d0f6e410cf7 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 16 Oct 2017 16:21:19 +0200
+Subject: USB: devio: Revert "USB: devio: Don't corrupt user memory"
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 845d584f41eac3475c21e4a7d5e88d0f6e410cf7 upstream.
+
+Taking the uurb->buffer_length userspace passes in as a maximum for the
+actual urbs transfer_buffer_length causes 2 serious issues:
+
+1) It breaks isochronous support for all userspace apps using libusb,
+   as existing libusb versions pass in 0 for uurb->buffer_length,
+   relying on the kernel using the lenghts of the usbdevfs_iso_packet_desc
+   descriptors passed in added together as buffer length.
+
+   This for example causes redirection of USB audio and Webcam's into
+   virtual machines using qemu-kvm to no longer work. This is a userspace
+   ABI break and as such must be reverted.
+
+   Note that the original commit does not protect other users / the
+   kernels memory, it only stops the userspace process making the call
+   from shooting itself in the foot.
+
+2) It may cause the kernel to program host controllers to DMA over random
+   memory. Just as the devio code used to only look at the iso_packet_desc
+   lenghts, the host drivers do the same, relying on the submitter of the
+   urbs to make sure the entire buffer is large enough and not checking
+   transfer_buffer_length.
+
+   But the "USB: devio: Don't corrupt user memory" commit now takes the
+   userspace provided uurb->buffer_length for the buffer-size while copying
+   over the user-provided iso_packet_desc lengths 1:1, allowing the user
+   to specify a small buffer size while programming the host controller to
+   dma a lot more data.
+
+   (Atleast the ohci, uhci, xhci and fhci drivers do not check
+    transfer_buffer_length for isoc transfers.)
+
+This reverts commit fa1ed74eb1c2 ("USB: devio: Don't corrupt user memory")
+fixing both these issues.
+
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c |    6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1577,11 +1577,7 @@ static int proc_do_submiturb(struct usb_
+                       totlen += isopkt[u].length;
+               }
+               u *= sizeof(struct usb_iso_packet_descriptor);
+-              if (totlen <= uurb->buffer_length)
+-                      uurb->buffer_length = totlen;
+-              else
+-                      WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
+-                                totlen, uurb->buffer_length);
++              uurb->buffer_length = totlen;
+               break;
+ 
+       default: