From: Greg Kroah-Hartman Date: Mon, 2 May 2016 16:29:19 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.14.68~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=443a54d9709d182e23f93438ec80cc664b3c345a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: usb-usbip-fix-potential-out-of-bounds-write.patch --- diff --git a/queue-3.14/series b/queue-3.14/series index eb01ad371c3..32833b169b4 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -18,3 +18,4 @@ asoc-s3c24xx-use-const-snd_soc_component_driver-pointer.patch asoc-rt5640-correct-the-digital-interface-data-select.patch efi-fix-out-of-bounds-read-in-variable_matches.patch workqueue-fix-ghost-pending-flag-while-doing-mq-io.patch +usb-usbip-fix-potential-out-of-bounds-write.patch diff --git a/queue-3.14/usb-usbip-fix-potential-out-of-bounds-write.patch b/queue-3.14/usb-usbip-fix-potential-out-of-bounds-write.patch new file mode 100644 index 00000000000..ebf3d57df29 --- /dev/null +++ b/queue-3.14/usb-usbip-fix-potential-out-of-bounds-write.patch @@ -0,0 +1,47 @@ +From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin +Date: Thu, 17 Mar 2016 18:00:29 +0000 +Subject: USB: usbip: fix potential out-of-bounds write + +From: Ignat Korchagin + +commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream. + +Fix potential out-of-bounds write to urb->transfer_buffer +usbip handles network communication directly in the kernel. When receiving a +packet from its peer, usbip code parses headers according to protocol. As +part of this parsing urb->actual_length is filled. Since the input for +urb->actual_length comes from the network, it should be treated as untrusted. +Any entity controlling the network may put any value in the input and the +preallocated urb->transfer_buffer may not be large enough to hold the data. +Thus, the malicious entity is able to write arbitrary data to kernel memory. + +Signed-off-by: Ignat Korchagin +Cc: Sasha Levin +Signed-off-by: Paul Gortmaker +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/usbip/usbip_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/staging/usbip/usbip_common.c ++++ b/drivers/staging/usbip/usbip_common.c +@@ -785,6 +785,17 @@ int usbip_recv_xbuff(struct usbip_device + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret);