From df5b49213d3eeb7c32b2fffff15a98f7e186200c Mon Sep 17 00:00:00 2001 From: Hanjie Lin Date: Wed, 19 Dec 2018 17:04:01 +0800 Subject: [PATCH] RAVENPLAT-252: Kernel components USB - CVE-2017-17558[1/1] PD#SWPL-15901 Problem: In usb_destroy_configuration of config.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Solution: The fix is designed to make sure the driver only frees as many configurations and interfaces as it could have allocated. Platform: Raven Verify: Raven Change-Id: I4a3d2ad27d09e606d4e363a75ce09a2e2fcf0070 Signed-off-by: Hanjie Lin --- drivers/usb/core/config.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 5e6136d2ed71..c6578b321838 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -763,18 +763,21 @@ void usb_destroy_configuration(struct usb_device *dev) return; if (dev->rawdescriptors) { - for (i = 0; i < dev->descriptor.bNumConfigurations; i++) + for (i = 0; i < dev->descriptor.bNumConfigurations && + i < USB_MAXCONFIG; i++) kfree(dev->rawdescriptors[i]); kfree(dev->rawdescriptors); dev->rawdescriptors = NULL; } - for (c = 0; c < dev->descriptor.bNumConfigurations; c++) { + for (c = 0; c < dev->descriptor.bNumConfigurations && + c < USB_MAXCONFIG; c++) { struct usb_host_config *cf = &dev->config[c]; kfree(cf->string); - for (i = 0; i < cf->desc.bNumInterfaces; i++) { + for (i = 0; i < cf->desc.bNumInterfaces && + i < USB_MAXINTERFACES; i++) { if (cf->intf_cache[i]) kref_put(&cf->intf_cache[i]->ref, usb_release_interface_cache);