Patchwork [hardy,CVE,1/1] UBUNTU: SAUCE: auerswald: validate the length of USB strings

login
register
mail settings
Submitter Andy Whitcroft
Date Oct. 6, 2011, 5:16 p.m.
Message ID <1317921370-25771-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/118136/
State New
Headers show

Comments

Andy Whitcroft - Oct. 6, 2011, 5:16 p.m.
When attempting to name a device we request various strings from the
device.  A malicious device could return very long strings triggering a
buffer overflow.

CVE-2009-4067
BugLink: http://bugs.launchpad.net/bugs/869195
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 drivers/usb/misc/auerswald.c |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)
Seth Forshee - Oct. 6, 2011, 7:33 p.m.
On Thu, Oct 06, 2011 at 06:16:10PM +0100, Andy Whitcroft wrote:
> When attempting to name a device we request various strings from the
> device.  A malicious device could return very long strings triggering a
> buffer overflow.
> 
> CVE-2009-4067
> BugLink: http://bugs.launchpad.net/bugs/869195
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  drivers/usb/misc/auerswald.c |   14 ++++++++++++--
>  1 files changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c
> index df7e1ec..5111b80 100644
> --- a/drivers/usb/misc/auerswald.c
> +++ b/drivers/usb/misc/auerswald.c
> @@ -1945,13 +1945,23 @@ static int auerswald_probe (struct usb_interface *intf,
>  	/* Try to get a suitable textual description of the device */
>  	/* Device name:*/
>  	ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1);
> -	if (ret >= 0) {
> +	/*
> +	 * If we were successful, and there is room remaining for a serial
> +	 * number then look it up and append it.  Assume the serial number
> +	 * is at least 4 digits.
> +	 */
> +	if (ret >= 0 && ret < AUSI_DLEN-1-6-4) {
>  		u += ret;
>  		/* Append Serial Number */
>  		memcpy(&cp->dev_desc[u], ",Ser# ", 6);
>  		u += 6;
>  		ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1);
> -		if (ret >= 0) {
> +		/*
> +		 * If we were successful and there is room remaining for
> +		 * the subscriber prefix then look it up and append it.
> +		 * Assume the subscriber number is at least 1 digit.
> +		 */
> +		if (ret >= 0 && ret < AUSI_DLEN-u-1-2-1) {
>  			u += ret;
>  			/* Append subscriber number */
>  			memcpy(&cp->dev_desc[u], ", ", 2);

Looks to do what it says, and should fix the potential for buffer
overflow.

Acked-by: Seth Forshee <seth.forshee@canonical.com>
Stefan Bader - Oct. 7, 2011, 8:22 a.m.
On 06.10.2011 19:16, Andy Whitcroft wrote:
> When attempting to name a device we request various strings from the
> device.  A malicious device could return very long strings triggering a
> buffer overflow.
> 
> CVE-2009-4067
> BugLink: http://bugs.launchpad.net/bugs/869195
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  drivers/usb/misc/auerswald.c |   14 ++++++++++++--
>  1 files changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c
> index df7e1ec..5111b80 100644
> --- a/drivers/usb/misc/auerswald.c
> +++ b/drivers/usb/misc/auerswald.c
> @@ -1945,13 +1945,23 @@ static int auerswald_probe (struct usb_interface *intf,
>  	/* Try to get a suitable textual description of the device */
>  	/* Device name:*/
>  	ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1);
> -	if (ret >= 0) {
> +	/*
> +	 * If we were successful, and there is room remaining for a serial
> +	 * number then look it up and append it.  Assume the serial number
> +	 * is at least 4 digits.
> +	 */
> +	if (ret >= 0 && ret < AUSI_DLEN-1-6-4) {
>  		u += ret;
>  		/* Append Serial Number */
>  		memcpy(&cp->dev_desc[u], ",Ser# ", 6);
>  		u += 6;
>  		ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1);
> -		if (ret >= 0) {
> +		/*
> +		 * If we were successful and there is room remaining for
> +		 * the subscriber prefix then look it up and append it.
> +		 * Assume the subscriber number is at least 1 digit.
> +		 */
> +		if (ret >= 0 && ret < AUSI_DLEN-u-1-2-1) {
>  			u += ret;
>  			/* Append subscriber number */
>  			memcpy(&cp->dev_desc[u], ", ", 2);

Patch

diff --git a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c
index df7e1ec..5111b80 100644
--- a/drivers/usb/misc/auerswald.c
+++ b/drivers/usb/misc/auerswald.c
@@ -1945,13 +1945,23 @@  static int auerswald_probe (struct usb_interface *intf,
 	/* Try to get a suitable textual description of the device */
 	/* Device name:*/
 	ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1);
-	if (ret >= 0) {
+	/*
+	 * If we were successful, and there is room remaining for a serial
+	 * number then look it up and append it.  Assume the serial number
+	 * is at least 4 digits.
+	 */
+	if (ret >= 0 && ret < AUSI_DLEN-1-6-4) {
 		u += ret;
 		/* Append Serial Number */
 		memcpy(&cp->dev_desc[u], ",Ser# ", 6);
 		u += 6;
 		ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1);
-		if (ret >= 0) {
+		/*
+		 * If we were successful and there is room remaining for
+		 * the subscriber prefix then look it up and append it.
+		 * Assume the subscriber number is at least 1 digit.
+		 */
+		if (ret >= 0 && ret < AUSI_DLEN-u-1-2-1) {
 			u += ret;
 			/* Append subscriber number */
 			memcpy(&cp->dev_desc[u], ", ", 2);