| From: Tobias Herzog <t-herzog@gmx.de> |
| Date: Thu, 30 Mar 2017 22:15:10 +0200 |
| Subject: cdc-acm: fix possible invalid access when processing notification |
| |
| commit 1bb9914e1730417d530de9ed37e59efdc647146b upstream. |
| |
| Notifications may only be 8 bytes long. Accessing the 9th and |
| 10th byte of unimplemented/unknown notifications may be insecure. |
| Also check the length of known notifications before accessing anything |
| behind the 8th byte. |
| |
| Signed-off-by: Tobias Herzog <t-herzog@gmx.de> |
| Acked-by: Oliver Neukum <oneukum@suse.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| [bwh: Backported to 3.2: adjust context] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/usb/class/cdc-acm.c | 13 +++++++++---- |
| 1 file changed, 9 insertions(+), 4 deletions(-) |
| |
| --- a/drivers/usb/class/cdc-acm.c |
| +++ b/drivers/usb/class/cdc-acm.c |
| @@ -293,6 +293,12 @@ static void acm_ctrl_irq(struct urb *urb |
| break; |
| |
| case USB_CDC_NOTIFY_SERIAL_STATE: |
| + if (le16_to_cpu(dr->wLength) != 2) { |
| + dev_dbg(&acm->control->dev, |
| + "%s - malformed serial state\n", __func__); |
| + break; |
| + } |
| + |
| tty = tty_port_tty_get(&acm->port); |
| newctrl = get_unaligned_le16(data); |
| |
| @@ -323,11 +329,10 @@ static void acm_ctrl_irq(struct urb *urb |
| |
| default: |
| dev_dbg(&acm->control->dev, |
| - "%s - unknown notification %d received: index %d " |
| - "len %d data0 %d data1 %d\n", |
| + "%s - unknown notification %d received: index %d len %d\n", |
| __func__, |
| - dr->bNotificationType, dr->wIndex, |
| - dr->wLength, data[0], data[1]); |
| + dr->bNotificationType, dr->wIndex, dr->wLength); |
| + |
| break; |
| } |
| exit: |
