net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650)

debian/changelog

@@ -131,6 +131,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium
   * media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646)
   * net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647)
   * net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649)
+  * net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 04 Nov 2017 09:54:41 +0100
 

debian/patches/bugfix/all/net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch

@@ -0,0 +1,59 @@
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Mon, 6 Nov 2017 15:32:18 +0100
+Subject: net: qmi_wwan: fix divide by 0 on bad descriptors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/7fd078337201cf7468f53c3d9ef81ff78cb6df3b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16650
+
+A CDC Ethernet functional descriptor with wMaxSegmentSize = 0 will
+cause a divide error in usbnet_probe:
+
+divide error: 0000 [#1] PREEMPT SMP KASAN
+Modules linked in:
+CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc8-44453-g1fdc1a82c34f #56
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Workqueue: usb_hub_wq hub_event
+task: ffff88006bef5c00 task.stack: ffff88006bf60000
+RIP: 0010:usbnet_update_max_qlen+0x24d/0x390 drivers/net/usb/usbnet.c:355
+RSP: 0018:ffff88006bf67508 EFLAGS: 00010246
+RAX: 00000000000163c8 RBX: ffff8800621fce40 RCX: ffff8800621fcf34
+RDX: 0000000000000000 RSI: ffffffff837ecb7a RDI: ffff8800621fcf34
+RBP: ffff88006bf67520 R08: ffff88006bef5c00 R09: ffffed000c43f881
+R10: ffffed000c43f880 R11: ffff8800621fc406 R12: 0000000000000003
+R13: ffffffff85c71de0 R14: 0000000000000000 R15: 0000000000000000
+FS:  0000000000000000(0000) GS:ffff88006ca00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffe9c0d6dac CR3: 00000000614f4000 CR4: 00000000000006f0
+Call Trace:
+ usbnet_probe+0x18b5/0x2790 drivers/net/usb/usbnet.c:1783
+ qmi_wwan_probe+0x133/0x220 drivers/net/usb/qmi_wwan.c:1338
+ usb_probe_interface+0x324/0x940 drivers/usb/core/driver.c:361
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x522/0x740 drivers/base/dd.c:557
+
+Fix by simply ignoring the bogus descriptor, as it is optional
+for QMI devices anyway.
+
+Fixes: 423ce8caab7e ("net: usb: qmi_wwan: New driver for Huawei QMI based WWAN devices")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/usb/qmi_wwan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 8c3733608271..a4f229edcceb 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -681,7 +681,7 @@ static int qmi_wwan_bind(struct usbnet *dev, struct usb_interface *intf)
+ 	}
+ 
+ 	/* errors aren't fatal - we can live with the dynamic address */
+-	if (cdc_ether) {
++	if (cdc_ether && cdc_ether->wMaxSegmentSize) {
+ 		dev->hard_mtu = le16_to_cpu(cdc_ether->wMaxSegmentSize);
+ 		usbnet_get_ethernet_addr(dev, cdc_ether->iMACAddress);
+ 	}

debian/patches/series

@@ -123,6 +123,7 @@ bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch
 bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch
 bugfix/all/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch
 bugfix/all/net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch
+bugfix/all/net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch
 
 # Fix exported symbol versions
 bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch