Commit 6817ae225cd650fb1c3295d769298c38b1eba818
Committed by
Greg Kroah-Hartman
1 parent
c3d3af5290
Exists in
ti-lsk-linux-4.1.y
and in
10 other branches
USB: whiteheat: Added bounds checking for bulk command response
This patch fixes a potential security issue in the whiteheat USB driver which might allow a local attacker to cause kernel memory corrpution. This is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On EHCI and XHCI busses it's possible to craft responses greater than 64 bytes leading a buffer overflow. Signed-off-by: James Forshaw <forshaw@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Showing 1 changed file with 6 additions and 1 deletions Side-by-side Diff
drivers/usb/serial/whiteheat.c
... | ... | @@ -514,6 +514,10 @@ |
514 | 514 | dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__); |
515 | 515 | return; |
516 | 516 | } |
517 | + if (!urb->actual_length) { | |
518 | + dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__); | |
519 | + return; | |
520 | + } | |
517 | 521 | if (status) { |
518 | 522 | dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status); |
519 | 523 | if (status != -ENOENT) |
... | ... | @@ -534,7 +538,8 @@ |
534 | 538 | /* These are unsolicited reports from the firmware, hence no |
535 | 539 | waiting command to wakeup */ |
536 | 540 | dev_dbg(&urb->dev->dev, "%s - event received\n", __func__); |
537 | - } else if (data[0] == WHITEHEAT_GET_DTR_RTS) { | |
541 | + } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) && | |
542 | + (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) { | |
538 | 543 | memcpy(command_info->result_buffer, &data[1], |
539 | 544 | urb->actual_length - 1); |
540 | 545 | command_info->command_finished = WHITEHEAT_CMD_COMPLETE; |
-
mentioned in commit b3d60c
-
mentioned in commit ebc808
-
mentioned in commit ebc808
-
mentioned in commit ebc808
-
mentioned in commit ebc808
-
mentioned in commit ebc808