← Back to team overview

kernel-packages team mailing list archive

[Bug 1460657] [NEW] possible infinite loop when parsing CDC headers

 

Public bug reported:

Bug #1413992 's patch introduced a possible infinite loop.

commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e
Author: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
Date:   Tue Apr 14 11:25:43 2015 +0200

    cdc-acm: prevent infinite loop when parsing CDC headers.

    Phil and I found out a problem with commit:

      7e860a6e7aa6 ("cdc-acm: add sanity checks")

    It added some sanity checks to ignore potential garbage in CDC headers but
    also introduced a potential infinite loop.  This can happen at the first
    loop iteration (elength = 0 in that case) if the description isn't a
    DT_CS_INTERFACE or later if 'buffer[0]' is zero.

    It should also be noted that the wrong length was being added to 'buffer'
    in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
    assigned after that check in the loop.

    A specially crafted USB device could be used to trigger this
infinite loop.

    Fixes: 7e860a6e7aa6 ("cdc-acm: add sanity checks")
    Signed-off-by: Phil Turnbull <phil.turnbull@xxxxxxxxxx>
    Signed-off-by: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
    CC: Sergei Shtylyov <sergei.shtylyov@xxxxxxxxxxxxxxxxxx>
    CC: Oliver Neukum <oneukum@xxxxxxx>
    CC: Adam Lee <adam8157@xxxxxxxxx>
    CC: <stable@xxxxxxxxxxxxxxx>
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

** Affects: linux (Ubuntu)
     Importance: High
     Assignee: Adam Lee (adam8157)
         Status: In Progress

** Affects: linux (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: linux (Ubuntu Utopic)
     Importance: Undecided
         Status: New

** Affects: linux (Ubuntu Vivid)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1460657

Title:
  possible infinite loop when parsing CDC headers

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Trusty:
  New
Status in linux source package in Utopic:
  New
Status in linux source package in Vivid:
  New

Bug description:
  Bug #1413992 's patch introduced a possible infinite loop.

  commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e
  Author: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
  Date:   Tue Apr 14 11:25:43 2015 +0200

      cdc-acm: prevent infinite loop when parsing CDC headers.

      Phil and I found out a problem with commit:

        7e860a6e7aa6 ("cdc-acm: add sanity checks")

      It added some sanity checks to ignore potential garbage in CDC headers but
      also introduced a potential infinite loop.  This can happen at the first
      loop iteration (elength = 0 in that case) if the description isn't a
      DT_CS_INTERFACE or later if 'buffer[0]' is zero.

      It should also be noted that the wrong length was being added to 'buffer'
      in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
      assigned after that check in the loop.

      A specially crafted USB device could be used to trigger this
  infinite loop.

      Fixes: 7e860a6e7aa6 ("cdc-acm: add sanity checks")
      Signed-off-by: Phil Turnbull <phil.turnbull@xxxxxxxxxx>
      Signed-off-by: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
      CC: Sergei Shtylyov <sergei.shtylyov@xxxxxxxxxxxxxxxxxx>
      CC: Oliver Neukum <oneukum@xxxxxxx>
      CC: Adam Lee <adam8157@xxxxxxxxx>
      CC: <stable@xxxxxxxxxxxxxxx>
      Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions


Follow ups

References