shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 11:26:02 +09:00
Code Issues Packages Projects Releases Wiki Activity

RAVENPLAT-252: Kernel components USB - CVE-2017-17558[1/1]

Browse Source 
PD#SWPL-15901

Problem:
In usb_destroy_configuration of config.c, there is a possible
out of bounds write due to a missing bounds check. This could
lead to local escalation of privilege with no additional execution
privileges needed. User interaction is not needed for exploitation.

Solution:
The fix is designed to make sure the driver only frees as many
configurations and interfaces as it could have allocated.

Platform:
Raven

Verify:
Raven

Change-Id: I4a3d2ad27d09e606d4e363a75ce09a2e2fcf0070
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
This commit is contained in:
Hanjie Lin
2018-12-19 17:04:01 +08:00
committed by Chris
parent 6933bb77ea
commit df5b49213d
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
drivers/usb/core/config.c
View File

@@ -763,18 +763,21 @@ void usb_destroy_configuration(struct usb_device *dev)
return;
if (dev->rawdescriptors) {
for (i = 0; i < dev->descriptor.bNumConfigurations; i++)
for (i = 0; i < dev->descriptor.bNumConfigurations &&
i < USB_MAXCONFIG; i++)
kfree(dev->rawdescriptors[i]);
kfree(dev->rawdescriptors);
dev->rawdescriptors = NULL;
}
for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
for (c = 0; c < dev->descriptor.bNumConfigurations &&
c < USB_MAXCONFIG; c++) {
struct usb_host_config *cf = &dev->config[c];
kfree(cf->string);
for (i = 0; i < cf->desc.bNumInterfaces; i++) {
for (i = 0; i < cf->desc.bNumInterfaces &&
i < USB_MAXINTERFACES; i++) {
if (cf->intf_cache[i])
kref_put(&cf->intf_cache[i]->ref,
usb_release_interface_cache);