www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Mathias Payer <mathias.payer@nebelwelt.net>
	Wed, 5 Dec 2018 20:19:59 +0000 (21:19 +0100)
committer	Brian Maly <brian.maly@oracle.com>
	Wed, 17 Jul 2019 17:02:39 +0000 (13:02 -0400)
commit	526cd66e3433abaf27d8223a60e8b385af31614f
tree	261f9b014969da0408da840558173928463dcbbf	tree
parent	374d3511f657a2a3cbca0c57fee075dbca61bcca	commit \| diff

USB: check usb_get_extra_descriptor for proper size

Orabug: 29755247
CVE: CVE-2018-20169

When reading an extra descriptor, we need to properly check the minimum
and maximum size allowed, to prevent from invalid data being sent by a
device.

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf)
Signed-off-by: Brian Maly <brian.maly@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>
Conflicts:
drivers/usb/core/hub.c

Signed-off-by: Brian Maly <brian.maly@oracle.com>

drivers/usb/core/hub.c		diff \| blob \| history
drivers/usb/core/usb.c		diff \| blob \| history
drivers/usb/host/hwa-hc.c		diff \| blob \| history
include/linux/usb.h		diff \| blob \| history