Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"
MIME-Version: 1.0
Date: Thu, 2 Jan 2020 09:42:06 +0000
From: "Martin Husemann" <martin@netbsd.org>
Subject: CVS commit: [netbsd-9] src/sys/dev/usb
To: source-changes@NetBSD.org
Message-Id: <20200102094206.B1E39FA97@cvs.NetBSD.org>
Sender: source-changes-owner@NetBSD.org
Precedence: bulk
Reply-To: source-changes-d@NetBSD.org
Mail-Reply-To: "Martin Husemann" <martin@netbsd.org>
Mail-Followup-To: source-changes-d@NetBSD.org

Module Name:	src
Committed By:	martin
Date:		Thu Jan  2 09:42:06 UTC 2020

Modified Files:
	src/sys/dev/usb [netbsd-9]: ucycom.c uhid.c uthum.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #595):

	sys/dev/usb/uthum.c: revision 1.18
	sys/dev/usb/ucycom.c: revision 1.49
	sys/dev/usb/uhid.c: revision 1.111

Fix buffer overflows. sc_{o,f}len are controlled by the USB device. By
crafting the former the device can leak stack data. By crafting the latter
the device can overwrite the stack. The combination of the two means the
device can ROP the kernel and obtain code execution (demonstrated with an
actual exploit over vHCI).

Truncate the lengths to the size of the buffers, and also drop sc_ilen
since it is unused. Patch tested with vHCI+kASan.

 -

Fix buffer overflows. Also add missing mutex_exit.

 -

Fix buffer overflows: validate the lengths at attach time, given that they
are apparently not supposed to be variable. Drop sc_ilen since it is
unused.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/dev/usb/ucycom.c
cvs rdiff -u -r1.108 -r1.108.2.1 src/sys/dev/usb/uhid.c
cvs rdiff -u -r1.16 -r1.16.2.1 src/sys/dev/usb/uthum.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.