From: Alan Stern <stern@rowland.harvard.edu> To: Greg KH <greg@kroah.com> Cc: Johan Hovold <johan@kernel.org>, USB mailing list <linux-usb@vger.kernel.org> Subject: [PATCH] USB: core: Check buffer length matches wLength for control transfers Date: Wed, 26 May 2021 11:32:44 -0400 [thread overview] Message-ID: <20210526153244.GA1400430@rowland.harvard.edu> (raw) A type of inconsistency that can show up in control URBs is when the setup packet's wLength value does not match the URB's transfer_buffer_length field. The two should always be equal; differences could lead to information leaks or undefined behavior for OUT transfers or overruns for IN transfers. This patch adds a test for such mismatches during URB submission. If the test fails, the submission is rejected with a -EBADR error code (which is not used elsewhere in the USB core), and a debugging message is logged for people interested in tracking down these errors. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> CC: Johan Hovold <johan@kernel.org> --- [as1961] Documentation/driver-api/usb/error-codes.rst | 3 +++ drivers/usb/core/urb.c | 6 ++++++ 2 files changed, 9 insertions(+) Index: usb-devel/drivers/usb/core/urb.c =================================================================== --- usb-devel.orig/drivers/usb/core/urb.c +++ usb-devel/drivers/usb/core/urb.c @@ -410,6 +410,12 @@ int usb_submit_urb(struct urb *urb, gfp_ dev_WARN_ONCE(&dev->dev, (usb_pipeout(urb->pipe) != is_out), "BOGUS control dir, pipe %x doesn't match bRequestType %x\n", urb->pipe, setup->bRequestType); + if (le16_to_cpu(setup->wLength) != urb->transfer_buffer_length) { + dev_dbg(&dev->dev, "BOGUS control len %d doesn't match transfer length %d\n", + le16_to_cpu(setup->wLength), + urb->transfer_buffer_length); + return -EBADR; + } } else { is_out = usb_endpoint_dir_out(&ep->desc); } Index: usb-devel/Documentation/driver-api/usb/error-codes.rst =================================================================== --- usb-devel.orig/Documentation/driver-api/usb/error-codes.rst +++ usb-devel/Documentation/driver-api/usb/error-codes.rst @@ -61,6 +61,9 @@ USB-specific: (c) requested data transfer length is invalid: negative or too large for the host controller. +``-EBADR`` The wLength value in a control URB's setup packet does + not match the URB's transfer_buffer_length. + ``-ENOSPC`` This request would overcommit the usb bandwidth reserved for periodic transfers (interrupt, isochronous).
next reply other threads:[~2021-05-26 15:32 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-05-26 15:32 Alan Stern [this message] 2021-05-27 8:23 ` Johan Hovold 2021-05-27 11:46 ` Greg KH
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210526153244.GA1400430@rowland.harvard.edu \ --to=stern@rowland.harvard.edu \ --cc=greg@kroah.com \ --cc=johan@kernel.org \ --cc=linux-usb@vger.kernel.org \ --subject='Re: [PATCH] USB: core: Check buffer length matches wLength for control transfers' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.