kernel-packages team mailing list archive

Thread
Date

[Bug 1460657] Re: possible infinite loop when parsing CDC headers

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Adam Lee <adam.lee@xxxxxxxxxxxxx>
Date: Fri, 05 Jun 2015 07:46:07 -0000
Reply-to: Bug 1460657 <1460657@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: linux (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux (Ubuntu Utopic)
   Importance: Undecided => High

** Changed in: linux (Ubuntu Vivid)
   Importance: Undecided => High

** Changed in: linux (Ubuntu Trusty)
     Assignee: (unassigned) => Adam Lee (adam8157)

** Changed in: linux (Ubuntu Utopic)
     Assignee: (unassigned) => Adam Lee (adam8157)

** Changed in: linux (Ubuntu Vivid)
     Assignee: (unassigned) => Adam Lee (adam8157)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1460657

Title:
  possible infinite loop when parsing CDC headers

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Utopic:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed

Bug description:
  Bug #1413992 's patch introduced a possible infinite loop.

  commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e
  Author: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
  Date:   Tue Apr 14 11:25:43 2015 +0200

      cdc-acm: prevent infinite loop when parsing CDC headers.

      Phil and I found out a problem with commit:

        7e860a6e7aa6 ("cdc-acm: add sanity checks")

      It added some sanity checks to ignore potential garbage in CDC headers but
      also introduced a potential infinite loop.  This can happen at the first
      loop iteration (elength = 0 in that case) if the description isn't a
      DT_CS_INTERFACE or later if 'buffer[0]' is zero.

      It should also be noted that the wrong length was being added to 'buffer'
      in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
      assigned after that check in the loop.

      A specially crafted USB device could be used to trigger this
  infinite loop.

      Fixes: 7e860a6e7aa6 ("cdc-acm: add sanity checks")
      Signed-off-by: Phil Turnbull <phil.turnbull@xxxxxxxxxx>
      Signed-off-by: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
      CC: Sergei Shtylyov <sergei.shtylyov@xxxxxxxxxxxxxxxxxx>
      CC: Oliver Neukum <oneukum@xxxxxxx>
      CC: Adam Lee <adam8157@xxxxxxxxx>
      CC: <stable@xxxxxxxxxxxxxxx>
      Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

  ===
  break-fix: 7e860a6e7aa62b337a61110430cd633db5b0d2dd 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions

References

[Bug 1460657] [NEW] possible infinite loop when parsing CDC headers
From: Adam Lee, 2015-06-01