Message ID | 20180724112804.28606-2-kleber.souza@canonical.com |
---|---|
State | New |
Headers | show |
Series | Fix for CVE-2017-16914 | expand |
On 24.07.2018 13:28, Kleber Sacilotto de Souza wrote: > From: Shuah Khan <shuahkh@osg.samsung.com> > > stub_send_ret_submit() handles urb with a potential null transfer_buffer, > when it replays a packet with potential malicious data that could contain > a null buffer. Add a check for the condition when actual_length > 0 and > transfer_buffer is null. > > Reported-by: Secunia Research <vuln@secunia.com> > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > CVE-2017-16914 > (backported from commit be6123df1ea8f01ee2f896a16c2b7be3e4557a5a) > [ klebers: adjusted the file path, the usbip is still under staging on > kernel 3.13. ] > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/staging/usbip/stub_tx.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/staging/usbip/stub_tx.c b/drivers/staging/usbip/stub_tx.c > index cd5326ae38cc..570713533a1f 100644 > --- a/drivers/staging/usbip/stub_tx.c > +++ b/drivers/staging/usbip/stub_tx.c > @@ -173,6 +173,13 @@ static int stub_send_ret_submit(struct stub_device *sdev) > memset(&pdu_header, 0, sizeof(pdu_header)); > memset(&msg, 0, sizeof(msg)); > > + if (urb->actual_length > 0 && !urb->transfer_buffer) { > + dev_err(&sdev->udev->dev, > + "urb: actual_length %d transfer_buffer null\n", > + urb->actual_length); > + return -1; > + } > + > if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) > iovnum = 2 + urb->number_of_packets; > else >
diff --git a/drivers/staging/usbip/stub_tx.c b/drivers/staging/usbip/stub_tx.c index cd5326ae38cc..570713533a1f 100644 --- a/drivers/staging/usbip/stub_tx.c +++ b/drivers/staging/usbip/stub_tx.c @@ -173,6 +173,13 @@ static int stub_send_ret_submit(struct stub_device *sdev) memset(&pdu_header, 0, sizeof(pdu_header)); memset(&msg, 0, sizeof(msg)); + if (urb->actual_length > 0 && !urb->transfer_buffer) { + dev_err(&sdev->udev->dev, + "urb: actual_length %d transfer_buffer null\n", + urb->actual_length); + return -1; + } + if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) iovnum = 2 + urb->number_of_packets; else