USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143)
This commit is contained in:
parent
aefd886eef
commit
888eb1f799
|
@ -8,6 +8,7 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
|
||||||
* [x86] KVM: SVM: Fix potential memory leak in svm_cpu_init()
|
* [x86] KVM: SVM: Fix potential memory leak in svm_cpu_init()
|
||||||
(CVE-2020-12768)
|
(CVE-2020-12768)
|
||||||
* scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)
|
* scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)
|
||||||
|
* USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143)
|
||||||
|
|
||||||
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 May 2020 23:02:30 +0200
|
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 May 2020 23:02:30 +0200
|
||||||
|
|
||||||
|
|
78
debian/patches/bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
vendored
Normal file
78
debian/patches/bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
vendored
Normal file
|
@ -0,0 +1,78 @@
|
||||||
|
From: Kyungtae Kim <kt0755@gmail.com>
|
||||||
|
Date: Sun, 10 May 2020 05:43:34 +0000
|
||||||
|
Subject: USB: gadget: fix illegal array access in binding with UDC
|
||||||
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=a105bb549252e3e8bd9db0bdd81cdd6a853e4238
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-13143
|
||||||
|
|
||||||
|
commit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream.
|
||||||
|
|
||||||
|
FuzzUSB (a variant of syzkaller) found an illegal array access
|
||||||
|
using an incorrect index while binding a gadget with UDC.
|
||||||
|
|
||||||
|
Reference: https://www.spinics.net/lists/linux-usb/msg194331.html
|
||||||
|
|
||||||
|
This bug occurs when a size variable used for a buffer
|
||||||
|
is misused to access its strcpy-ed buffer.
|
||||||
|
Given a buffer along with its size variable (taken from user input),
|
||||||
|
from which, a new buffer is created using kstrdup().
|
||||||
|
Due to the original buffer containing 0 value in the middle,
|
||||||
|
the size of the kstrdup-ed buffer becomes smaller than that of the original.
|
||||||
|
So accessing the kstrdup-ed buffer with the same size variable
|
||||||
|
triggers memory access violation.
|
||||||
|
|
||||||
|
The fix makes sure no zero value in the buffer,
|
||||||
|
by comparing the strlen() of the orignal buffer with the size variable,
|
||||||
|
so that the access to the kstrdup-ed buffer is safe.
|
||||||
|
|
||||||
|
BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200
|
||||||
|
drivers/usb/gadget/configfs.c:266
|
||||||
|
Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208
|
||||||
|
|
||||||
|
CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1
|
||||||
|
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
|
||||||
|
Call Trace:
|
||||||
|
__dump_stack lib/dump_stack.c:77 [inline]
|
||||||
|
dump_stack+0xce/0x128 lib/dump_stack.c:118
|
||||||
|
print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
|
||||||
|
__kasan_report+0x131/0x1b0 mm/kasan/report.c:506
|
||||||
|
kasan_report+0x12/0x20 mm/kasan/common.c:641
|
||||||
|
__asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
|
||||||
|
gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266
|
||||||
|
flush_write_buffer fs/configfs/file.c:251 [inline]
|
||||||
|
configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283
|
||||||
|
__vfs_write+0x85/0x110 fs/read_write.c:494
|
||||||
|
vfs_write+0x1cd/0x510 fs/read_write.c:558
|
||||||
|
ksys_write+0x18a/0x220 fs/read_write.c:611
|
||||||
|
__do_sys_write fs/read_write.c:623 [inline]
|
||||||
|
__se_sys_write fs/read_write.c:620 [inline]
|
||||||
|
__x64_sys_write+0x73/0xb0 fs/read_write.c:620
|
||||||
|
do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
|
||||||
|
entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
||||||
|
|
||||||
|
Signed-off-by: Kyungtae Kim <kt0755@gmail.com>
|
||||||
|
Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com>
|
||||||
|
Cc: Felipe Balbi <balbi@kernel.org>
|
||||||
|
Cc: stable <stable@vger.kernel.org>
|
||||||
|
Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
drivers/usb/gadget/configfs.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
|
||||||
|
index ab9ac48a751a..a7709d126b29 100644
|
||||||
|
--- a/drivers/usb/gadget/configfs.c
|
||||||
|
+++ b/drivers/usb/gadget/configfs.c
|
||||||
|
@@ -260,6 +260,9 @@ static ssize_t gadget_dev_desc_UDC_store(struct config_item *item,
|
||||||
|
char *name;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
+ if (strlen(page) < len)
|
||||||
|
+ return -EOVERFLOW;
|
||||||
|
+
|
||||||
|
name = kstrdup(page, GFP_KERNEL);
|
||||||
|
if (!name)
|
||||||
|
return -ENOMEM;
|
||||||
|
--
|
||||||
|
2.27.0.rc0
|
||||||
|
|
|
@ -305,5 +305,6 @@ bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch
|
||||||
bugfix/all/usb-core-fix-free-while-in-use-bug-in-the-usb-s-glib.patch
|
bugfix/all/usb-core-fix-free-while-in-use-bug-in-the-usb-s-glib.patch
|
||||||
bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
|
bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
|
||||||
bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
|
bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
|
||||||
|
bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
|
||||||
|
|
||||||
# ABI maintenance
|
# ABI maintenance
|
||||||
|
|
Loading…
Reference in New Issue