All of lore.kernel.org
 help / color / mirror / Atom feed
* [bug report] usb: gadget: f_fs: OS descriptors support
@ 2019-06-08  9:26 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2019-06-08  9:26 UTC (permalink / raw)
  To: andrzej.p; +Cc: linux-usb

Hello Andrzej Pietrasiewicz,

The patch f0175ab51993: "usb: gadget: f_fs: OS descriptors support"
from Jul 9, 2014, leads to the following static checker warning:

	drivers/usb/gadget/function/f_fs.c:2992 __ffs_func_bind_do_os_desc()
	error: 'ext_prop->data_len' from user is not capped properly

drivers/usb/gadget/function/f_fs.c
  2961                         ARRAY_SIZE(desc->CompatibleID) +
  2962                         ARRAY_SIZE(desc->SubCompatibleID));
  2963                  length = sizeof(*desc);
  2964          }
  2965                  break;
  2966          case FFS_OS_DESC_EXT_PROP: {
  2967                  struct usb_ext_prop_desc *desc = data;
  2968                  struct usb_os_desc_table *t;
  2969                  struct usb_os_desc_ext_prop *ext_prop;
  2970                  char *ext_prop_name;
  2971                  char *ext_prop_data;
  2972  
  2973                  t = &func->function.os_desc_table[h->interface];
  2974                  t->if_id = func->interfaces_nums[h->interface];
  2975  
  2976                  ext_prop = func->ffs->ms_os_descs_ext_prop_avail;
  2977                  func->ffs->ms_os_descs_ext_prop_avail += sizeof(*ext_prop);
  2978  
  2979                  ext_prop->type = le32_to_cpu(desc->dwPropertyDataType);
  2980                  ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength);
  2981                  ext_prop->data_len = le32_to_cpu(*(__le32 *)
  2982                          usb_ext_prop_data_len_ptr(data, ext_prop->name_len));

Smatch is very suspicious of "ext_prop->data_len".

  2983                  length = ext_prop->name_len + ext_prop->data_len + 14;
  2984  
  2985                  ext_prop_name = func->ffs->ms_os_descs_ext_prop_name_avail;
  2986                  func->ffs->ms_os_descs_ext_prop_name_avail +=
  2987                          ext_prop->name_len;
  2988  
  2989                  ext_prop_data = func->ffs->ms_os_descs_ext_prop_data_avail;
  2990                  func->ffs->ms_os_descs_ext_prop_data_avail +=
  2991                          ext_prop->data_len;
  2992                  memcpy(ext_prop_data,
  2993                         usb_ext_prop_data_ptr(data, ext_prop->name_len),
  2994                         ext_prop->data_len);
                               ^^^^^^^^^^^^^^^^^^
so it complians that this memcpy() can overflow.  That seems like maybe
a real issue?

  2995                  /* unicode data reported to the host as "WCHAR"s */
  2996                  switch (ext_prop->type) {
  2997                  case USB_EXT_PROP_UNICODE:
  2998                  case USB_EXT_PROP_UNICODE_ENV:
  2999                  case USB_EXT_PROP_UNICODE_LINK:
  3000                  case USB_EXT_PROP_UNICODE_MULTI:
  3001                          ext_prop->data_len *= 2;
  3002                          break;
  3003                  }
  3004                  ext_prop->data = ext_prop_data;

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2019-06-08  9:26 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-08  9:26 [bug report] usb: gadget: f_fs: OS descriptors support Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.