* [PATCH] USB: fix buffer overflows with parsing CDC headers
@ 2017-11-08 11:43 Oliver Neukum
2017-11-10 13:36 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Oliver Neukum @ 2017-11-08 11:43 UTC (permalink / raw)
To: stable, linux-usb; +Cc: Oliver Neukum
In newer kernels this issue has been fixed at a central location with
commit 2e1c42391ff2556387b3cb6308b24f6f65619feb
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu Sep 21 16:58:48 2017 +0200
USB: core: harden cdc_parse_cdc_header
on anything older the parsing had not been centralised, so a separate
fix for each driver is necessary.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/net/usb/cdc_ether.c | 9 ++++++++-
drivers/usb/class/cdc-acm.c | 8 +++++++-
drivers/usb/class/cdc-wdm.c | 2 ++
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index 3651f3cd474e..0f2fde0820dd 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -144,6 +144,8 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
dev_dbg(&intf->dev, "extra CDC header\n");
goto bad_desc;
}
+ if (len < sizeof(struct usb_cdc_header_desc))
+ break;
info->header = (void *) buf;
if (info->header->bLength != sizeof(*info->header)) {
dev_dbg(&intf->dev, "CDC header len %u\n",
@@ -157,6 +159,8 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
*/
if (rndis) {
struct usb_cdc_acm_descriptor *acm;
+ if (len < sizeof(struct usb_cdc_acm_descriptor))
+ break;
acm = (void *) buf;
if (acm->bmCapabilities) {
@@ -173,6 +177,8 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
dev_dbg(&intf->dev, "extra CDC union\n");
goto bad_desc;
}
+ if (len < sizeof(struct usb_cdc_union_desc))
+ break;
info->u = (void *) buf;
if (info->u->bLength != sizeof(*info->u)) {
dev_dbg(&intf->dev, "CDC union len %u\n",
@@ -231,6 +237,8 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
dev_dbg(&intf->dev, "extra CDC ether\n");
goto bad_desc;
}
+ if (len < sizeof(struct usb_cdc_ether_desc))
+ break;
info->ether = (void *) buf;
if (info->ether->bLength != sizeof(*info->ether)) {
dev_dbg(&intf->dev, "CDC ether len %u\n",
@@ -248,7 +256,6 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
dev_dbg(&intf->dev, "extra MDLM descriptor\n");
goto bad_desc;
}
-
desc = (void *)buf;
if (desc->bLength != sizeof(*desc))
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index ea93b35b1c6d..8957ee57f62d 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1019,7 +1019,7 @@ static int acm_probe(struct usb_interface *intf,
}
}
- while (buflen > 0) {
+ while (buflen >= 3) { /* minimum length making sense */
if (buffer[1] != USB_DT_CS_INTERFACE) {
dev_err(&intf->dev, "skipping garbage\n");
goto next_desc;
@@ -1027,6 +1027,8 @@ static int acm_probe(struct usb_interface *intf,
switch (buffer[2]) {
case USB_CDC_UNION_TYPE: /* we've found it */
+ if (buflen < sizeof(struct usb_cdc_union_desc))
+ break;
if (union_header) {
dev_err(&intf->dev, "More than one "
"union descriptor, skipping ...\n");
@@ -1035,6 +1037,8 @@ static int acm_probe(struct usb_interface *intf,
union_header = (struct usb_cdc_union_desc *)buffer;
break;
case USB_CDC_COUNTRY_TYPE: /* export through sysfs*/
+ if (buflen < sizeof(struct usb_cdc_country_functional_desc))
+ break;
cfd = (struct usb_cdc_country_functional_desc *)buffer;
break;
case USB_CDC_HEADER_TYPE: /* maybe check version */
@@ -1043,6 +1047,8 @@ static int acm_probe(struct usb_interface *intf,
ac_management_function = buffer[3];
break;
case USB_CDC_CALL_MANAGEMENT_TYPE:
+ if (buflen < 4)
+ break;
call_management_function = buffer[3];
call_interface_num = buffer[4];
if ((quirks & NOT_A_MODEM) == 0 && (call_management_function & 3) != 3)
diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index 07133d0c971b..f61b5e138bc7 100644
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -851,6 +851,8 @@ static int wdm_probe(struct usb_interface *intf, const struct usb_device_id *id)
case USB_CDC_HEADER_TYPE:
break;
case USB_CDC_DMM_TYPE:
+ if (buflen < sizeof(struct usb_cdc_dmm_desc))
+ break;
dmhd = (struct usb_cdc_dmm_desc *)buffer;
maxcom = le16_to_cpu(dmhd->wMaxCommand);
dev_dbg(&intf->dev,
--
2.13.6
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] USB: fix buffer overflows with parsing CDC headers
2017-11-08 11:43 [PATCH] USB: fix buffer overflows with parsing CDC headers Oliver Neukum
@ 2017-11-10 13:36 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2017-11-10 13:36 UTC (permalink / raw)
To: Oliver Neukum; +Cc: stable, linux-usb
On Wed, Nov 08, 2017 at 12:43:07PM +0100, Oliver Neukum wrote:
> In newer kernels this issue has been fixed at a central location with
>
> commit 2e1c42391ff2556387b3cb6308b24f6f65619feb
> Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Date: Thu Sep 21 16:58:48 2017 +0200
>
> USB: core: harden cdc_parse_cdc_header
>
> on anything older the parsing had not been centralised, so a separate
> fix for each driver is necessary.
>
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> ---
> drivers/net/usb/cdc_ether.c | 9 ++++++++-
> drivers/usb/class/cdc-acm.c | 8 +++++++-
> drivers/usb/class/cdc-wdm.c | 2 ++
> 3 files changed, 17 insertions(+), 2 deletions(-)
What kernel tree is this made against? It doesn't apply to 3.18-stable,
and commit 2e1c42391ff2556387b3cb6308b24f6f65619feb is in 4.4 and newer,
right?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-11-10 13:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-08 11:43 [PATCH] USB: fix buffer overflows with parsing CDC headers Oliver Neukum
2017-11-10 13:36 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.