Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 4d723dcb5b6b3030f29c7f2ed94907425ba13ecf
commit4d723dcb5b6b3030f29c7f2ed94907425ba13ecf[log] [tgz]
authorAlan Stern <stern@rowland.harvard.edu>Tue Dec 12 14:25:13 2017 -0500
committerBorjan Tchakaloff <borjan@fairphone.com>Tue Aug 14 18:06:53 2018 +0200
tree3e3ccc73424bdfd88c94df8b0a2c8adaab166bc3
parentbab9164ea259ff9e552588ae2a1bf50202892726 [diff]
USB: core: prevent malicious bNumInterfaces overflow

commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream.

A malicious USB device with crafted descriptors can cause the kernel
to access unallocated memory by setting the bNumInterfaces value too
high in a configuration descriptor.  Although the value is adjusted
during parsing, this adjustment is skipped in one of the error return
paths.

This patch prevents the problem by setting bNumInterfaces to 0
initially.  The existing code already sets it to the proper value
after parsing is complete.

Bug: 71751622
Issue: SEC-1193
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I89bb5c8e48e7654aac05a7936f4ee92e1481ca65
(cherry picked from commit ac75d0c216fdcfcdd5de95ecc212c2e22efd1c7c)
1 file changed
tree: 3e3ccc73424bdfd88c94df8b0a2c8adaab166bc3
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. AndroidKernel.mk
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS