Bugzilla – Bug 1072561
VUL-0: CVE-2017-17558: kernel: usb_destroy_configuration function in drivers/usb/core/config.c allows local users to cause a denial of service
Last modified: 2022-03-04 20:21:18 UTC
CVE-2017-17558 The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17558 http://seclists.org/oss-sec/2017/q4/392 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17558.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17558 http://www.cvedetails.com/cve/CVE-2017-17558/ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17558 https://www.spinics.net/lists/linux-usb/msg163644.html
Upstream has gone for this alternative fix: A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> --- [as1855] drivers/usb/core/config.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) Index: usb-4.x/drivers/usb/core/config.c =================================================================== --- usb-4.x.orig/drivers/usb/core/config.c +++ usb-4.x/drivers/usb/core/config.c @@ -555,6 +555,9 @@ static int usb_parse_configuration(struc unsigned iad_num = 0; memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); + nintf = nintf_orig = config->desc.bNumInterfaces; + config->desc.bNumInterfaces = 0; // Adjusted later + if (config->desc.bDescriptorType != USB_DT_CONFIG || config->desc.bLength < USB_DT_CONFIG_SIZE || config->desc.bLength > size) { @@ -568,7 +571,6 @@ static int usb_parse_configuration(struc buffer += config->desc.bLength; size -= config->desc.bLength; - nintf = nintf_orig = config->desc.bNumInterfaces; if (nintf > USB_MAXINTERFACES) { dev_warn(ddev, "config %d has too many interfaces: %d, " "using maximum allowed: %d\n",
And Greg has changed his mind back to the original patch. Annoying.
And he has changed his mind about changing his mind. I will defer this till tomorrow.
Patch added to all cve and SLE15 trees.
SUSE-SU-2018:0011-1: An update that solves 17 vulnerabilities and has 13 fixes is now available. Category: security (important) Bug References: 1013018,1024612,1034862,1045479,1045538,1047487,1048185,1050231,1050431,1056982,1063043,1065180,1065600,1066569,1066693,1066973,1068032,1068671,1068984,1069702,1070771,1070964,1071074,1071470,1071695,1072457,1072561,1072876,1073792,1073874 CVE References: CVE-2017-11600,CVE-2017-13167,CVE-2017-14106,CVE-2017-15115,CVE-2017-15868,CVE-2017-16534,CVE-2017-16538,CVE-2017-16939,CVE-2017-17450,CVE-2017-17558,CVE-2017-17805,CVE-2017-17806,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-7472,CVE-2017-8824 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): kernel-docs-3.0.101-108.21.2 SUSE Linux Enterprise Server 11-SP4 (src): kernel-bigmem-3.0.101-108.21.1, kernel-default-3.0.101-108.21.1, kernel-ec2-3.0.101-108.21.1, kernel-pae-3.0.101-108.21.1, kernel-ppc64-3.0.101-108.21.1, kernel-source-3.0.101-108.21.1, kernel-syms-3.0.101-108.21.1, kernel-trace-3.0.101-108.21.1, kernel-xen-3.0.101-108.21.1 SUSE Linux Enterprise Server 11-EXTRA (src): kernel-default-3.0.101-108.21.1, kernel-pae-3.0.101-108.21.1, kernel-ppc64-3.0.101-108.21.1, kernel-trace-3.0.101-108.21.1, kernel-xen-3.0.101-108.21.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): kernel-bigmem-3.0.101-108.21.1, kernel-default-3.0.101-108.21.1, kernel-ec2-3.0.101-108.21.1, kernel-pae-3.0.101-108.21.1, kernel-ppc64-3.0.101-108.21.1, kernel-trace-3.0.101-108.21.1, kernel-xen-3.0.101-108.21.1
SUSE-SU-2018:0031-1: An update that solves 14 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1012422,1045205,1050231,1066569,1066693,1067678,1068032,1068671,1070771,1070781,1071074,1071470,1071693,1071694,1071695,1072561,1072876 CVE References: CVE-2017-11600,CVE-2017-13167,CVE-2017-15115,CVE-2017-15868,CVE-2017-16534,CVE-2017-16538,CVE-2017-17448,CVE-2017-17449,CVE-2017-17450,CVE-2017-17558,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-8824 Sources used: SUSE OpenStack Cloud 6 (src): kernel-default-3.12.74-60.64.69.1, kernel-source-3.12.74-60.64.69.1, kernel-syms-3.12.74-60.64.69.1, kernel-xen-3.12.74-60.64.69.1, kgraft-patch-SLE12-SP1_Update_24-1-2.3.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): kernel-default-3.12.74-60.64.69.1, kernel-source-3.12.74-60.64.69.1, kernel-syms-3.12.74-60.64.69.1, kernel-xen-3.12.74-60.64.69.1, kgraft-patch-SLE12-SP1_Update_24-1-2.3.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): kernel-default-3.12.74-60.64.69.1, kernel-source-3.12.74-60.64.69.1, kernel-syms-3.12.74-60.64.69.1, kernel-xen-3.12.74-60.64.69.1, kgraft-patch-SLE12-SP1_Update_24-1-2.3.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.74-60.64.69.1
SUSE-SU-2018:0040-1: An update that solves 32 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1010175,1034862,1045327,1050231,1052593,1056982,1057179,1057389,1058524,1062520,1063544,1063667,1066295,1066472,1066569,1066573,1066606,1066618,1066625,1066650,1066671,1066693,1066700,1066705,1067085,1068032,1068671,1069702,1069708,1070771,1071074,1071470,1071695,1072561,1072876,1073792,1073874,1074033,999245 CVE References: CVE-2017-1000251,CVE-2017-11600,CVE-2017-13080,CVE-2017-13167,CVE-2017-14106,CVE-2017-14140,CVE-2017-14340,CVE-2017-15102,CVE-2017-15115,CVE-2017-15265,CVE-2017-15274,CVE-2017-15868,CVE-2017-16525,CVE-2017-16527,CVE-2017-16529,CVE-2017-16531,CVE-2017-16534,CVE-2017-16535,CVE-2017-16536,CVE-2017-16537,CVE-2017-16538,CVE-2017-16649,CVE-2017-16939,CVE-2017-17450,CVE-2017-17558,CVE-2017-17805,CVE-2017-17806,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-7472,CVE-2017-8824 Sources used: SUSE Linux Enterprise Server 11-SP3-LTSS (src): kernel-bigsmp-3.0.101-0.47.106.11.1, kernel-default-3.0.101-0.47.106.11.1, kernel-ec2-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-source-3.0.101-0.47.106.11.1, kernel-syms-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1 SUSE Linux Enterprise Server 11-EXTRA (src): kernel-bigsmp-3.0.101-0.47.106.11.1, kernel-default-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-ppc64-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): kernel-default-3.0.101-0.47.106.11.1, kernel-ec2-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-source-3.0.101-0.47.106.11.1, kernel-syms-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): kernel-bigsmp-3.0.101-0.47.106.11.1, kernel-default-3.0.101-0.47.106.11.1, kernel-ec2-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1
SUSE-SU-2018:0115-1: An update that solves 14 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1045205,1050231,1066569,1066693,1068032,1068671,1070771,1070781,1071074,1071470,1071693,1071694,1071695,1072561,1072876 CVE References: CVE-2017-11600,CVE-2017-13167,CVE-2017-15115,CVE-2017-15868,CVE-2017-16534,CVE-2017-16538,CVE-2017-17448,CVE-2017-17449,CVE-2017-17450,CVE-2017-17558,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-8824 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): kernel-default-3.12.61-52.111.1, kernel-source-3.12.61-52.111.1, kernel-syms-3.12.61-52.111.1, kernel-xen-3.12.61-52.111.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.61-52.111.1
SUSE-SU-2018:0180-1: An update that solves 26 vulnerabilities and has 24 fixes is now available. Category: security (important) Bug References: 1012917,1013018,1024612,1034862,1045205,1045479,1045538,1047487,1048185,1050231,1050431,1051133,1054305,1056982,1063043,1064803,1064861,1065180,1065600,1066471,1066472,1066569,1066573,1066606,1066618,1066625,1066650,1066671,1066693,1066700,1066705,1066973,1067085,1067816,1067888,1068032,1068671,1068984,1069702,1070771,1070964,1071074,1071470,1071695,1072457,1072561,1072876,1073792,1073874,1074709 CVE References: CVE-2017-11600,CVE-2017-13167,CVE-2017-14106,CVE-2017-15102,CVE-2017-15115,CVE-2017-15868,CVE-2017-16525,CVE-2017-16527,CVE-2017-16529,CVE-2017-16531,CVE-2017-16534,CVE-2017-16535,CVE-2017-16536,CVE-2017-16537,CVE-2017-16538,CVE-2017-16649,CVE-2017-16939,CVE-2017-17450,CVE-2017-17558,CVE-2017-17805,CVE-2017-17806,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-7472,CVE-2017-8824 Sources used: SUSE Linux Enterprise Real Time Extension 11-SP4 (src): kernel-rt-3.0.101.rt130-69.14.1, kernel-rt_trace-3.0.101.rt130-69.14.1, kernel-source-rt-3.0.101.rt130-69.14.1, kernel-syms-rt-3.0.101.rt130-69.14.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): kernel-rt-3.0.101.rt130-69.14.1, kernel-rt_debug-3.0.101.rt130-69.14.1, kernel-rt_trace-3.0.101.rt130-69.14.1
released patches.kernel.org/4.4.107-006-USB-core-prevent-malicious-bNumInterfaces-ove.patch