USB: whiteheat: Added bounds checking for bulk command response

This patch fixes a potential security issue in the whiteheat USB driver which might allow a local attacker to cause kernel memory corrpution. This is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On EHCI and XHCI busses it's possible to craft responses greater than 64 bytes leading a buffer overflow. Signed-off-by: James Forshaw <forshaw@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: whiteheat: Added bounds checking for bulk command response
This patch fixes a potential security issue in the whiteheat USB driver which might allow a local attacker to cause kernel memory corrpution. This is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On EHCI and XHCI busses it's possible to craft responses greater than 64 bytes leading a buffer overflow. Signed-off-by: James Forshaw <forshaw@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
James Forshaw · Greg Kroah-Hartman · Eric Lee · Eric Lee · Eric Lee · Eric Lee
1 parent c3d3af5290
Showing 1 changed file with 6 additions and 1 deletions Side-by-side Diff
drivers/usb/serial/whiteheat.c
@@ -514,6 +514,10 @@
 		dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
 		return;
 	}
+	if (!urb->actual_length) {
+		dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
+		return;
+	}
 	if (status) {
 		dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
 		if (status != -ENOENT)
@@ -534,7 +538,8 @@
 		/* These are unsolicited reports from the firmware, hence no
 		   waiting command to wakeup */
 		dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
-	} else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
+	} else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
+		(urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
 		memcpy(command_info->result_buffer, &data[1],
 						urb->actual_length - 1);
 		command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
...	...	@@ -514,6 +514,10 @@
514	514	dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
515	515	return;
516	516	}
	517	+ if (!urb->actual_length) {
	518	+ dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
	519	+ return;
	520	+ }
517	521	if (status) {
518	522	dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
519	523	if (status != -ENOENT)
...	...	@@ -534,7 +538,8 @@
534	538	/* These are unsolicited reports from the firmware, hence no
535	539	waiting command to wakeup */
536	540	dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
537		- } else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
	541	+ } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
	542	+ (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
538	543	memcpy(command_info->result_buffer, &data[1],
539	544	urb->actual_length - 1);
540	545	command_info->command_finished = WHITEHEAT_CMD_COMPLETE;