[PATCH 01/10] USB: usb_driver_claim_interface: add sanity checking

[PATCH 01/10] USB: usb_driver_claim_interface: add sanity checking

[Lu Baolu]

From: Oliver Neukum <oneukum@suse.com>

Attacks that trick drivers into passing a NULL pointer
to usb_driver_claim_interface() using forged descriptors are
known. This thwarts them by sanity checking.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/driver.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index 56593a9..2057d91 100644
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -502,11 +502,15 @@ static int usb_unbind_interface(struct device *dev)
 int usb_driver_claim_interface(struct usb_driver *driver,
 				struct usb_interface *iface, void *priv)
 {
-	struct device *dev = &iface->dev;
+	struct device *dev;
 	struct usb_device *udev;
 	int retval = 0;
 	int lpm_disable_error;
 
+	if (!iface)
+		return -ENODEV;
+
+	dev = &iface->dev;
 	if (dev->driver)
 		return -EBUSY;
 
-- 
2.1.4

[PATCH 02/10] USB: cdc-acm: more sanity checking

[Lu Baolu]

From: Oliver Neukum <oneukum@suse.com>

An attack has become available which pretends to be a quirky
device circumventing normal sanity checks and crashes the kernel
by an insufficient number of interfaces. This patch adds a check
to the code path for quirky devices.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/class/cdc-acm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 1d2c99a..83fd30b 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1179,6 +1179,9 @@ static int acm_probe(struct usb_interface *intf,
 	if (quirks == NO_UNION_NORMAL) {
 		data_interface = usb_ifnum_to_if(usb_dev, 1);
 		control_interface = usb_ifnum_to_if(usb_dev, 0);
+		/* we would crash */
+		if (!data_interface || !control_interface)
+			return -ENODEV;
 		goto skip_normal_probe;
 	}
 
-- 
2.1.4

[PATCH 03/10] USB: uas: Reduce can_queue to MAX_CMNDS

[Lu Baolu]

From: Hans de Goede <hdegoede@redhat.com>

The uas driver can never queue more then MAX_CMNDS (- 1) tags and tags
are shared between luns, so there is no need to claim that we can_queue
some random large number.

Not claiming that we can_queue 65536 commands, fixes the uas driver
failing to initialize while allocating the tag map with a "Page allocation
failure (order 7)" error on systems which have been running for a while
and thus have fragmented memory.

Cc: stable@vger.kernel.org
Reported-and-tested-by: Yves-Alexis Perez <corsac@corsac.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/storage/uas.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
index 44b096c..13e4cc3 100644
--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -836,7 +836,7 @@ static struct scsi_host_template uas_host_template = {
 	.slave_configure = uas_slave_configure,
 	.eh_abort_handler = uas_eh_abort_handler,
 	.eh_bus_reset_handler = uas_eh_bus_reset_handler,
-	.can_queue = 65536,	/* Is there a limit on the _host_ ? */
+	.can_queue = MAX_CMNDS,
 	.this_id = -1,
 	.sg_tablesize = SG_NONE,
 	.skip_settle_delay = 1,
-- 
2.1.4

Re: [PATCH 01/10] USB: usb_driver_claim_interface: add sanity checking

[Lu Baolu]

I am sorry. This email was sent out due to an incorrect operation.
Please ignore it. I am sorry for disturbing you.

Best regards,
Baolu

On 03/25/2016 10:58 AM, Lu Baolu wrote:
> From: Oliver Neukum <oneukum@suse.com>
>
> Attacks that trick drivers into passing a NULL pointer
> to usb_driver_claim_interface() using forged descriptors are
> known. This thwarts them by sanity checking.
>
> Signed-off-by: Oliver Neukum <ONeukum@suse.com>
> CC: stable@vger.kernel.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  drivers/usb/core/driver.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
> index 56593a9..2057d91 100644
> --- a/drivers/usb/core/driver.c
> +++ b/drivers/usb/core/driver.c
> @@ -502,11 +502,15 @@ static int usb_unbind_interface(struct device *dev)
>  int usb_driver_claim_interface(struct usb_driver *driver,
>  				struct usb_interface *iface, void *priv)
>  {
> -	struct device *dev = &iface->dev;
> +	struct device *dev;
>  	struct usb_device *udev;
>  	int retval = 0;
>  	int lpm_disable_error;
>  
> +	if (!iface)
> +		return -ENODEV;
> +
> +	dev = &iface->dev;
>  	if (dev->driver)
>  		return -EBUSY;
>  

Re: [PATCH 02/10] USB: cdc-acm: more sanity checking

[Lu Baolu]

I am sorry. This email was sent out due to an incorrect operation.
Please ignore it. I am sorry for disturbing you.

Best regards,
Baolu

On 03/25/2016 10:58 AM, Lu Baolu wrote:
> From: Oliver Neukum <oneukum@suse.com>
>
> An attack has become available which pretends to be a quirky
> device circumventing normal sanity checks and crashes the kernel
> by an insufficient number of interfaces. This patch adds a check
> to the code path for quirky devices.
>
> Signed-off-by: Oliver Neukum <ONeukum@suse.com>
> CC: stable@vger.kernel.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  drivers/usb/class/cdc-acm.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> index 1d2c99a..83fd30b 100644
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -1179,6 +1179,9 @@ static int acm_probe(struct usb_interface *intf,
>  	if (quirks == NO_UNION_NORMAL) {
>  		data_interface = usb_ifnum_to_if(usb_dev, 1);
>  		control_interface = usb_ifnum_to_if(usb_dev, 0);
> +		/* we would crash */
> +		if (!data_interface || !control_interface)
> +			return -ENODEV;
>  		goto skip_normal_probe;
>  	}
>  

Re: [PATCH 03/10] USB: uas: Reduce can_queue to MAX_CMNDS

[Lu Baolu]

I am sorry. This email was sent out due to an incorrect operation.
Please ignore it. I am sorry for disturbing you.

Best Regards,
Baolu

On 03/25/2016 10:58 AM, Lu Baolu wrote:
> From: Hans de Goede <hdegoede@redhat.com>
>
> The uas driver can never queue more then MAX_CMNDS (- 1) tags and tags
> are shared between luns, so there is no need to claim that we can_queue
> some random large number.
>
> Not claiming that we can_queue 65536 commands, fixes the uas driver
> failing to initialize while allocating the tag map with a "Page allocation
> failure (order 7)" error on systems which have been running for a while
> and thus have fragmented memory.
>
> Cc: stable@vger.kernel.org
> Reported-and-tested-by: Yves-Alexis Perez <corsac@corsac.net>
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  drivers/usb/storage/uas.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
> index 44b096c..13e4cc3 100644
> --- a/drivers/usb/storage/uas.c
> +++ b/drivers/usb/storage/uas.c
> @@ -836,7 +836,7 @@ static struct scsi_host_template uas_host_template = {
>  	.slave_configure = uas_slave_configure,
>  	.eh_abort_handler = uas_eh_abort_handler,
>  	.eh_bus_reset_handler = uas_eh_bus_reset_handler,
> -	.can_queue = 65536,	/* Is there a limit on the _host_ ? */
> +	.can_queue = MAX_CMNDS,
>  	.this_id = -1,
>  	.sg_tablesize = SG_NONE,
>  	.skip_settle_delay = 1,