[Linux-stable-mirror] Patch "usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input" has been added to the 4.14-stable tree - Linux-stable-mirror

14 Jan 2018

This is a note to let you know that I've just added the patch titled
usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input
to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is:
     usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let stable@vger.kernel.org know about it.
...
From b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25 Mon Sep 17 00:00:00 2001
From: Shuah Khan shuahkh@osg.samsung.com
Date: Fri, 22 Dec 2017 19:23:46 -0700
Subject: usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input
From: Shuah Khan shuahkh@osg.samsung.com
commit b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25 upstream.
Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations.
Signed-off-by: Shuah Khan shuahkh@osg.samsung.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 drivers/usb/usbip/vudc_rx.c |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

--- a/drivers/usb/usbip/vudc_rx.c
+++ b/drivers/usb/usbip/vudc_rx.c
@@ -132,6 +132,25 @@ static int v_recv_cmd_submit(struct vudc
    urb_p->new = 1;
    urb_p->seqnum = pdu->base.seqnum;
+	if (urb_p->ep->type == USB_ENDPOINT_XFER_ISOC) {
+		/* validate packet size and number of packets */
+		unsigned int maxp, packets, bytes;
+
+		maxp = usb_endpoint_maxp(urb_p->ep->desc);
+		maxp *= usb_endpoint_maxp_mult(urb_p->ep->desc);
+		bytes = pdu->u.cmd_submit.transfer_buffer_length;
+		packets = DIV_ROUND_UP(bytes, maxp);
+
+		if (pdu->u.cmd_submit.number_of_packets < 0 ||
+		    pdu->u.cmd_submit.number_of_packets > packets) {
+			dev_err(&udc->gadget.dev,
+				"CMD_SUBMIT: isoc invalid num packets %d\n",
+				pdu->u.cmd_submit.number_of_packets);
+			ret = -EMSGSIZE;
+			goto free_urbp;
+		}
+	}
+
    ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type);
    if (ret) {
    	usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC);
Patches currently in stable-queue which might be from shuahkh@osg.samsung.com are
queue-4.14/usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch
queue-4.14/usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch
queue-4.14/usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch

    