diff --git a/debian/changelog b/debian/changelog index 1978318c2..4bea355d2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ linux (4.5.1-2) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * [x86] xen: suppress hugetlbfs in PV guests (CVE-2016-3961) + * [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955) [ Ben Hutchings ] * fs: Consolidate softdep declarations in each module diff --git a/debian/patches/bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch b/debian/patches/bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch new file mode 100644 index 000000000..2a2c4bdb4 --- /dev/null +++ b/debian/patches/bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From: Ignat Korchagin +Date: Thu, 17 Mar 2016 18:00:29 +0000 +Subject: USB: usbip: fix potential out-of-bounds write +Origin: https://git.kernel.org/linus/b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb + +Fix potential out-of-bounds write to urb->transfer_buffer +usbip handles network communication directly in the kernel. When receiving a +packet from its peer, usbip code parses headers according to protocol. As +part of this parsing urb->actual_length is filled. Since the input for +urb->actual_length comes from the network, it should be treated as untrusted. +Any entity controlling the network may put any value in the input and the +preallocated urb->transfer_buffer may not be large enough to hold the data. +Thus, the malicious entity is able to write arbitrary data to kernel memory. + +Signed-off-by: Ignat Korchagin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/usbip_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c +index facaaf0..e40da77 100644 +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 719f1b984..850a13d4b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -124,6 +124,7 @@ bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-re.patch bugfix/all/ipv4-don-t-do-expensive-useless-work-during-inetdev-.patch bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch bugfix/x86/x86-xen-suppress-hugetlbfs-in-PV-guests.patch +bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch # Tools bug fixes bugfix/all/usbip-document-tcp-wrappers.patch