From 888eb1f799fe93de090818cc5282a5655a67a147 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 29 May 2020 21:34:00 +0200
Subject: [PATCH] USB: gadget: fix illegal array access in binding with UDC
 (CVE-2020-13143)

---
 debian/changelog                              |  1 +
 ...llegal-array-access-in-binding-with-.patch | 78 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 80 insertions(+)
 create mode 100644 debian/patches/bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch

diff --git a/debian/changelog b/debian/changelog
index 61883698c..f6b86fee4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
   * [x86] KVM: SVM: Fix potential memory leak in svm_cpu_init()
     (CVE-2020-12768)
   * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)
+  * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 28 May 2020 23:02:30 +0200
 
diff --git a/debian/patches/bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch b/debian/patches/bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
new file mode 100644
index 000000000..3a21b6391
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
@@ -0,0 +1,78 @@
+From: Kyungtae Kim <kt0755@gmail.com>
+Date: Sun, 10 May 2020 05:43:34 +0000
+Subject: USB: gadget: fix illegal array access in binding with UDC
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=a105bb549252e3e8bd9db0bdd81cdd6a853e4238
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-13143
+
+commit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream.
+
+FuzzUSB (a variant of syzkaller) found an illegal array access
+using an incorrect index while binding a gadget with UDC.
+
+Reference: https://www.spinics.net/lists/linux-usb/msg194331.html
+
+This bug occurs when a size variable used for a buffer
+is misused to access its strcpy-ed buffer.
+Given a buffer along with its size variable (taken from user input),
+from which, a new buffer is created using kstrdup().
+Due to the original buffer containing 0 value in the middle,
+the size of the kstrdup-ed buffer becomes smaller than that of the original.
+So accessing the kstrdup-ed buffer with the same size variable
+triggers memory access violation.
+
+The fix makes sure no zero value in the buffer,
+by comparing the strlen() of the orignal buffer with the size variable,
+so that the access to the kstrdup-ed buffer is safe.
+
+BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200
+drivers/usb/gadget/configfs.c:266
+Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208
+
+CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xce/0x128 lib/dump_stack.c:118
+ print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
+ __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
+ kasan_report+0x12/0x20 mm/kasan/common.c:641
+ __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+ gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266
+ flush_write_buffer fs/configfs/file.c:251 [inline]
+ configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283
+ __vfs_write+0x85/0x110 fs/read_write.c:494
+ vfs_write+0x1cd/0x510 fs/read_write.c:558
+ ksys_write+0x18a/0x220 fs/read_write.c:611
+ __do_sys_write fs/read_write.c:623 [inline]
+ __se_sys_write fs/read_write.c:620 [inline]
+ __x64_sys_write+0x73/0xb0 fs/read_write.c:620
+ do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Signed-off-by: Kyungtae Kim <kt0755@gmail.com>
+Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/configfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
+index ab9ac48a751a..a7709d126b29 100644
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -260,6 +260,9 @@ static ssize_t gadget_dev_desc_UDC_store(struct config_item *item,
+ 	char *name;
+ 	int ret;
+ 
++	if (strlen(page) < len)
++		return -EOVERFLOW;
++
+ 	name = kstrdup(page, GFP_KERNEL);
+ 	if (!name)
+ 		return -ENOMEM;
+-- 
+2.27.0.rc0
+
diff --git a/debian/patches/series b/debian/patches/series
index 67efa3575..0968e27e7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -305,5 +305,6 @@ bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch
 bugfix/all/usb-core-fix-free-while-in-use-bug-in-the-usb-s-glib.patch
 bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
 bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
+bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
 
 # ABI maintenance