• W
    usb: gadget: rndis: Fix info leak of rndis · 740612c7
    Wang Hai 提交于
    hulk inclusion
    category: bugfix
    bugzilla: 172330
    CVE: HWPSIRT-2021-84477
    
    --------------------------------
    
    We can construct some special USB packets that cause kernel
    info leak by the following steps of rndis.
    
    1. construct the packet to make rndis call gen_ndis_set_resp().
    
    In gen_ndis_set_resp(), BufOffset comes from the USB packet and
    it is not checked so that BufOffset can be any value. Therefore,
    if OID is RNDIS_OID_GEN_CURRENT_PACKET_FILTER, then *params->filter
    can get data at any address.
    
    2. construct the packet to make rndis call rndis_query_response().
    
    In rndis_query_response(), if OID is RNDIS_OID_GEN_CURRENT_PACKET_FILTER,
    then the data of *params->filter is fetched and returned, resulting in
    info leak.
    
    Therefore, we need to check the BufOffset to prevent info leak. Here,
    buf size is USB_COMP_EP0_BUFSIZ, as long as "8 + BufOffset + BufLength"
    is less than USB_COMP_EP0_BUFSIZ, it will be considered legal.
    
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
    Signed-off-by: NWang Hai <wanghai38@huawei.com>
    Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com>
    Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
    Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
    740612c7
composite.c 66.4 KB