From patchwork Wed Dec 12 11:42:24 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 10726161
Return-Path: <linux-usb-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1F01614E2
	for <patchwork-linux-usb@patchwork.kernel.org>;
 Wed, 12 Dec 2018 11:42:31 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 00C292AB21
	for <patchwork-linux-usb@patchwork.kernel.org>;
 Wed, 12 Dec 2018 11:42:31 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E93862AB4A; Wed, 12 Dec 2018 11:42:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8CDE92AB21
	for <patchwork-linux-usb@patchwork.kernel.org>;
 Wed, 12 Dec 2018 11:42:30 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727231AbeLLLm1 (ORCPT
        <rfc822;patchwork-linux-usb@patchwork.kernel.org>);
        Wed, 12 Dec 2018 06:42:27 -0500
Received: from mail.kernel.org ([198.145.29.99]:54536 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726869AbeLLLm1 (ORCPT <rfc822;linux-usb@vger.kernel.org>);
        Wed, 12 Dec 2018 06:42:27 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id C111720870;
        Wed, 12 Dec 2018 11:42:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1544614946;
        bh=NulIyXDS25d0mJMhX7LGZYbAhOvtNZCLAUvn/YKvDh4=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=QdsB0g3bE9FVQzy2rxrOd5s7PBZtNslId1xFGI8zQJwjCU/dhk5fBd1fF5qyWLHrB
         e5ggamasVfSvtDPnIVjpAhk7EdcsJnm1Aw1nodfEwdikeSANYLwt9HPZZL5ZypihU+
         jP+Dpqf0NmxFV5MwK2SdZSRy89ltC3tWhMaPchm4=
Date: Wed, 12 Dec 2018 12:42:24 +0100
From: Greg KH <gregkh@linuxfoundation.org>
To: "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org
Cc: linux-usb@vger.kernel.org,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Hui Peng <benquike@gmail.com>,
        Mathias Payer <mathias.payer@nebelwelt.net>
Subject: [PATCH v3] USB: hso: Fix OOB memory access in
 hso_probe/hso_get_config_data
Message-ID: <20181212114224.GB26559@kroah.com>
References: <20181209163245.GA25484@kroah.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20181209163245.GA25484@kroah.com>
User-Agent: Mutt/1.11.1 (2018-12-01)
Sender: linux-usb-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-usb.vger.kernel.org>
X-Mailing-List: linux-usb@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Hui Peng <benquike@gmail.com>

The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data.

Add a length check for both locations and updated hso_probe to bail on
error.

This issue has been assigned CVE-2018-19985.

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

v3: redid the changelog text based on review comments from Sebastian

v2: fixed error check to just be < 0
    Added CVE to changelog text

 drivers/net/usb/hso.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 184c24baca15..d6916f787fce 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface)
 		return -EIO;
 	}
 
+	/* check if we have a valid interface */
+	if (if_num > 16) {
+		kfree(config_data);
+		return -EINVAL;
+	}
+
 	switch (config_data[if_num]) {
 	case 0x0:
 		result = 0;
@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface,
 
 	/* Get the interface/port specification from either driver_info or from
 	 * the device itself */
-	if (id->driver_info)
+	if (id->driver_info) {
+		/* if_num is controlled by the device, driver_info is a 0 terminated
+		 * array. Make sure, the access is in bounds! */
+		for (i = 0; i <= if_num; ++i)
+			if (((u32 *)(id->driver_info))[i] == 0)
+				goto exit;
 		port_spec = ((u32 *)(id->driver_info))[if_num];
-	else
+	} else {
 		port_spec = hso_get_config_data(interface);
+		if (port_spec < 0)
+			goto exit;
+	}
 
 	/* Check if we need to switch to alt interfaces prior to port
 	 * configuration */