DivestOS/Patches/Linux_CVEs/CVE-2016-3813/3.18/0002.patch

From de81d402f12a3492400644024e694748d3514951 Mon Sep 17 00:00:00 2001
From: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Date: Thu, 5 May 2016 14:37:08 +0530
Subject: USB: dwc3: debugfs: Add boundary check in dwc3_store_ep_num()

User can pass arguments as part of write to requests and endpoint number
will be calculated based on the arguments. There is a chance that driver
can access ep structue that is not allocated due to invalid arguments
passed by user. Hence fix the issue by having check and return error in
case of invalid arguments.

Change-Id: I060ea878b55ce0f9983b91c50e58718c8a2c2fa1
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
---
 drivers/usb/dwc3/debugfs.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c
index 7a88671..c82647f 100644
--- a/drivers/usb/dwc3/debugfs.c
+++ b/drivers/usb/dwc3/debugfs.c
@@ -630,7 +630,7 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,
 	struct seq_file		*s = file->private_data;
 	struct dwc3		*dwc = s->private;
 	char			kbuf[10];
-	unsigned int		num, dir;
+	unsigned int		num, dir, temp;
 	unsigned long		flags;
 
 	memset(kbuf, 0, 10);
@@ -641,8 +641,16 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,
 	if (sscanf(kbuf, "%u %u", &num, &dir) != 2)
 		return -EINVAL;
 
+	if (dir != 0 && dir != 1)
+		return -EINVAL;
+
+	temp = (num << 1) + dir;
+	if (temp >= (dwc->num_in_eps + dwc->num_out_eps) ||
+					temp >= DWC3_ENDPOINTS_NUM)
+		return -EINVAL;
+
 	spin_lock_irqsave(&dwc->lock, flags);
-	ep_num = (num << 1) + dir;
+	ep_num = temp;
 	spin_unlock_irqrestore(&dwc->lock, flags);
 
 	return count;
-- 
cgit v1.1
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`From de81d402f12a3492400644024e694748d3514951 Mon Sep 17 00:00:00 2001`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>`
			`Date: Thu, 5 May 2016 14:37:08 +0530`
			`Subject: USB: dwc3: debugfs: Add boundary check in dwc3_store_ep_num()`

			`User can pass arguments as part of write to requests and endpoint number`
			`will be calculated based on the arguments. There is a chance that driver`
			`can access ep structue that is not allocated due to invalid arguments`
			`passed by user. Hence fix the issue by having check and return error in`
			`case of invalid arguments.`

			`Change-Id: I060ea878b55ce0f9983b91c50e58718c8a2c2fa1`
			`Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>`
			`---`
			`drivers/usb/dwc3/debugfs.c \| 12 ++++++++++--`
			`1 file changed, 10 insertions(+), 2 deletions(-)`

			`diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c`
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`index 7a88671..c82647f 100644`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`--- a/drivers/usb/dwc3/debugfs.c`
			`+++ b/drivers/usb/dwc3/debugfs.c`
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`@@ -630,7 +630,7 @@ static ssize_t dwc3_store_ep_num(struct file file, const char __user ubuf,`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`struct seq_file *s = file->private_data;`
			`struct dwc3 *dwc = s->private;`
			`char kbuf[10];`
			`- unsigned int num, dir;`
			`+ unsigned int num, dir, temp;`
			`unsigned long flags;`

			`memset(kbuf, 0, 10);`
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`@@ -641,8 +641,16 @@ static ssize_t dwc3_store_ep_num(struct file file, const char __user ubuf,`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`if (sscanf(kbuf, "%u %u", &num, &dir) != 2)`
			`return -EINVAL;`

			`+ if (dir != 0 && dir != 1)`
			`+ return -EINVAL;`
			`+`
			`+ temp = (num << 1) + dir;`
			`+ if (temp >= (dwc->num_in_eps + dwc->num_out_eps) \|\|`
			`+ temp >= DWC3_ENDPOINTS_NUM)`
			`+ return -EINVAL;`
			`+`
			`spin_lock_irqsave(&dwc->lock, flags);`
			`- ep_num = (num << 1) + dir;`
			`+ ep_num = temp;`
			`spin_unlock_irqrestore(&dwc->lock, flags);`

			`return count;`
			`--`
			`cgit v1.1`