All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Vincent Pelletier <plr.vincent@gmail.com>,
	Felipe Balbi <felipe.balbi@linux.intel.com>
Subject: [PATCH 4.4 26/29] usb: gadget: f_fs: Assorted buffer overflow checks.
Date: Tue,  7 Feb 2017 13:45:55 +0100	[thread overview]
Message-ID: <20170207124459.863246920@linuxfoundation.org> (raw)
In-Reply-To: <20170207124458.685292007@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vincent Pelletier <plr.vincent@gmail.com>

commit 83e526f2a2fa4b2e82b6bd3ddbb26b70acfa8947 upstream.

OS descriptor head, when flagged as provided, is accessed without
checking if it fits in provided buffer. Verify length before access.
Also, there are other places where buffer length it checked
after accessing offsets which are potentially past the end. Check
buffer length before as well to fail cleanly.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/function/f_fs.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2079,6 +2079,8 @@ static int __ffs_data_do_os_desc(enum ff
 		if (len < sizeof(*d) || h->interface >= ffs->interfaces_count)
 			return -EINVAL;
 		length = le32_to_cpu(d->dwSize);
+		if (len < length)
+			return -EINVAL;
 		type = le32_to_cpu(d->dwPropertyDataType);
 		if (type < USB_EXT_PROP_UNICODE ||
 		    type > USB_EXT_PROP_UNICODE_MULTI) {
@@ -2087,6 +2089,11 @@ static int __ffs_data_do_os_desc(enum ff
 			return -EINVAL;
 		}
 		pnl = le16_to_cpu(d->wPropertyNameLength);
+		if (length < 14 + pnl) {
+			pr_vdebug("invalid os descriptor length: %d pnl:%d (descriptor %d)\n",
+				  length, pnl, type);
+			return -EINVAL;
+		}
 		pdl = le32_to_cpu(*(u32 *)((u8 *)data + 10 + pnl));
 		if (length != 14 + pnl + pdl) {
 			pr_vdebug("invalid os descriptor length: %d pnl:%d pdl:%d (descriptor %d)\n",
@@ -2171,6 +2178,9 @@ static int __ffs_data_got_descs(struct f
 		}
 	}
 	if (flags & (1 << i)) {
+		if (len < 4) {
+			goto error;
+		}
 		os_descs_count = get_unaligned_le32(data);
 		data += 4;
 		len -= 4;
@@ -2243,7 +2253,8 @@ static int __ffs_data_got_strings(struct
 
 	ENTER();
 
-	if (unlikely(get_unaligned_le32(data) != FUNCTIONFS_STRINGS_MAGIC ||
+	if (unlikely(len < 16 ||
+		     get_unaligned_le32(data) != FUNCTIONFS_STRINGS_MAGIC ||
 		     get_unaligned_le32(data + 4) != len))
 		goto error;
 	str_count  = get_unaligned_le32(data + 8);

  parent reply	other threads:[~2017-02-07 12:47 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-07 12:45 [PATCH 4.4 00/29] 4.4.48-stable review Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 01/29] PCI/ASPM: Handle PCI-to-PCIe bridges as roots of PCIe hierarchies Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 02/29] ext4: validate s_first_meta_bg at mount time Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 03/29] drm/nouveau/disp/gt215: Fix HDA ELD handling (thus, HDMI audio) on gt215 Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 04/29] drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 05/29] crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 06/29] crypto: arm64/aes-blk - honour iv_out requirement in CBC and CTR modes Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 07/29] perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 08/29] ata: sata_mv:- Handle return value of devm_ioremap Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 10/29] powerpc/eeh: Fix wrong flag passed to eeh_unfreeze_pe() Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 11/29] powerpc: Add missing error check to prom_find_boot_cpu() Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 12/29] NFSD: Fix a null reference case in find_or_create_lock_stateid() Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 13/29] svcrpc: fix oops in absence of krb5 module Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 14/29] zswap: disable changing params if init fails Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 15/29] cifs: initialize file_info_lock Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 16/29] mm/memory_hotplug.c: check start_pfn in test_pages_in_a_zone() Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 17/29] mm, fs: check for fatal signals in do_generic_file_read() Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 18/29] can: bcm: fix hrtimer/tasklet termination in bcm op removal Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 19/29] mmc: sdhci: Ignore unexpected CARD_INT interrupts Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 20/29] percpu-refcount: fix reference leak during percpu-atomic transition Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 21/29] HID: wacom: Fix poor prox handling in wacom_pl_irq Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 23/29] USB: serial: qcserial: add Dell DW5570 QDL Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 24/29] USB: serial: pl2303: add ATEN device ID Greg Kroah-Hartman
2017-02-07 12:45 ` Greg Kroah-Hartman [this message]
2017-02-07 12:45 ` [PATCH 4.4 28/29] x86/irq: Make irq activate operations symmetric Greg Kroah-Hartman
2017-02-07 12:45 ` [PATCH 4.4 29/29] base/memory, hotplug: fix a kernel oops in show_valid_zones() Greg Kroah-Hartman
2017-02-07 15:59 ` [PATCH 4.4 00/29] 4.4.48-stable review Shuah Khan
2017-02-07 21:43 ` Guenter Roeck
     [not found] ` <589a7404.48301c0a.b5123.22e3@mx.google.com>
2017-02-08  6:36   ` Greg Kroah-Hartman
2017-02-08 19:40     ` Kevin Hilman
2017-02-08 20:07       ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170207124459.863246920@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=felipe.balbi@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=plr.vincent@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.