* USB: core: prevent malicious bNumInterfaces overflow
@ 2017-12-12 19:25 Alan Stern
0 siblings, 0 replies; 5+ messages in thread
From: Alan Stern @ 2017-12-12 19:25 UTC (permalink / raw)
To: Greg KH; +Cc: Andrey Konovalov, USB list
A malicious USB device with crafted descriptors can cause the kernel
to access unallocated memory by setting the bNumInterfaces value too
high in a configuration descriptor. Although the value is adjusted
during parsing, this adjustment is skipped in one of the error return
paths.
This patch prevents the problem by setting bNumInterfaces to 0
initially. The existing code already sets it to the proper value
after parsing is complete.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
CC: <stable@vger.kernel.org>
---
[as1855]
drivers/usb/core/config.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Index: usb-4.x/drivers/usb/core/config.c
===================================================================
--- usb-4.x.orig/drivers/usb/core/config.c
+++ usb-4.x/drivers/usb/core/config.c
@@ -555,6 +555,9 @@ static int usb_parse_configuration(struc
unsigned iad_num = 0;
memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
+ nintf = nintf_orig = config->desc.bNumInterfaces;
+ config->desc.bNumInterfaces = 0; // Adjusted later
+
if (config->desc.bDescriptorType != USB_DT_CONFIG ||
config->desc.bLength < USB_DT_CONFIG_SIZE ||
config->desc.bLength > size) {
@@ -568,7 +571,6 @@ static int usb_parse_configuration(struc
buffer += config->desc.bLength;
size -= config->desc.bLength;
- nintf = nintf_orig = config->desc.bNumInterfaces;
if (nintf > USB_MAXINTERFACES) {
dev_warn(ddev, "config %d has too many interfaces: %d, "
"using maximum allowed: %d\n",
^ permalink raw reply [flat|nested] 5+ messages in thread
* USB: core: prevent malicious bNumInterfaces overflow
@ 2017-12-13 15:30 Alan Stern
0 siblings, 0 replies; 5+ messages in thread
From: Alan Stern @ 2017-12-13 15:30 UTC (permalink / raw)
To: Greg KH; +Cc: Peter Chen, Andrey Konovalov, USB list
On Wed, 13 Dec 2017, Greg KH wrote:
> > > --- usb-4.x.orig/drivers/usb/core/config.c
> > > +++ usb-4.x/drivers/usb/core/config.c
> > > @@ -555,6 +555,9 @@ static int usb_parse_configuration(struc
> > > unsigned iad_num = 0;
> > >
> > > memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
> > > + nintf = nintf_orig = config->desc.bNumInterfaces;
> > > + config->desc.bNumInterfaces = 0; // Adjusted later
> > > +
> >
> > The comment format?
>
> Is fine, I've given up that fight :)
In fact, Linus posted an email sometime in the last few weeks, in which
he said that he had changed his mind about // comments. He called it
the one thing that C++ got right!
Also, checkpatch didn't complain.
Alan Stern
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* USB: core: prevent malicious bNumInterfaces overflow
@ 2017-12-13 11:28 Greg KH
0 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2017-12-13 11:28 UTC (permalink / raw)
To: Alan Stern; +Cc: Andrey Konovalov, USB list
On Tue, Dec 12, 2017 at 02:25:13PM -0500, Alan Stern wrote:
> A malicious USB device with crafted descriptors can cause the kernel
> to access unallocated memory by setting the bNumInterfaces value too
> high in a configuration descriptor. Although the value is adjusted
> during parsing, this adjustment is skipped in one of the error return
> paths.
>
> This patch prevents the problem by setting bNumInterfaces to 0
> initially. The existing code already sets it to the proper value
> after parsing is complete.
>
> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> Reported-by: Andrey Konovalov <andreyknvl@google.com>
> CC: <stable@vger.kernel.org>
>
> ---
>
>
> [as1855]
>
>
> drivers/usb/core/config.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> Index: usb-4.x/drivers/usb/core/config.c
> ===================================================================
> --- usb-4.x.orig/drivers/usb/core/config.c
> +++ usb-4.x/drivers/usb/core/config.c
> @@ -555,6 +555,9 @@ static int usb_parse_configuration(struc
> unsigned iad_num = 0;
>
> memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
> + nintf = nintf_orig = config->desc.bNumInterfaces;
> + config->desc.bNumInterfaces = 0; // Adjusted later
> +
> if (config->desc.bDescriptorType != USB_DT_CONFIG ||
> config->desc.bLength < USB_DT_CONFIG_SIZE ||
> config->desc.bLength > size) {
> @@ -568,7 +571,6 @@ static int usb_parse_configuration(struc
> buffer += config->desc.bLength;
> size -= config->desc.bLength;
>
> - nintf = nintf_orig = config->desc.bNumInterfaces;
Ugh, I tried to find this place to do this, but couldn't. Nice job,
I'll revert my patch and apply yours instead, thanks for this.
greg k-h
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* USB: core: prevent malicious bNumInterfaces overflow
@ 2017-12-13 7:51 Greg KH
0 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2017-12-13 7:51 UTC (permalink / raw)
To: Peter Chen; +Cc: Alan Stern, Andrey Konovalov, USB list
On Wed, Dec 13, 2017 at 09:27:42AM +0800, Peter Chen wrote:
> On Tue, Dec 12, 2017 at 02:25:13PM -0500, Alan Stern wrote:
> > A malicious USB device with crafted descriptors can cause the kernel
> > to access unallocated memory by setting the bNumInterfaces value too
> > high in a configuration descriptor. Although the value is adjusted
> > during parsing, this adjustment is skipped in one of the error return
> > paths.
> >
> > This patch prevents the problem by setting bNumInterfaces to 0
> > initially. The existing code already sets it to the proper value
> > after parsing is complete.
> >
> > Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> > Reported-by: Andrey Konovalov <andreyknvl@google.com>
> > CC: <stable@vger.kernel.org>
> >
> > ---
> >
> >
> > [as1855]
> >
> >
> > drivers/usb/core/config.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > Index: usb-4.x/drivers/usb/core/config.c
> > ===================================================================
> > --- usb-4.x.orig/drivers/usb/core/config.c
> > +++ usb-4.x/drivers/usb/core/config.c
> > @@ -555,6 +555,9 @@ static int usb_parse_configuration(struc
> > unsigned iad_num = 0;
> >
> > memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
> > + nintf = nintf_orig = config->desc.bNumInterfaces;
> > + config->desc.bNumInterfaces = 0; // Adjusted later
> > +
>
> The comment format?
Is fine, I've given up that fight :)
greg k-h
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* USB: core: prevent malicious bNumInterfaces overflow
@ 2017-12-13 1:27 Peter Chen
0 siblings, 0 replies; 5+ messages in thread
From: Peter Chen @ 2017-12-13 1:27 UTC (permalink / raw)
To: Alan Stern; +Cc: Greg KH, Andrey Konovalov, USB list
On Tue, Dec 12, 2017 at 02:25:13PM -0500, Alan Stern wrote:
> A malicious USB device with crafted descriptors can cause the kernel
> to access unallocated memory by setting the bNumInterfaces value too
> high in a configuration descriptor. Although the value is adjusted
> during parsing, this adjustment is skipped in one of the error return
> paths.
>
> This patch prevents the problem by setting bNumInterfaces to 0
> initially. The existing code already sets it to the proper value
> after parsing is complete.
>
> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> Reported-by: Andrey Konovalov <andreyknvl@google.com>
> CC: <stable@vger.kernel.org>
>
> ---
>
>
> [as1855]
>
>
> drivers/usb/core/config.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> Index: usb-4.x/drivers/usb/core/config.c
> ===================================================================
> --- usb-4.x.orig/drivers/usb/core/config.c
> +++ usb-4.x/drivers/usb/core/config.c
> @@ -555,6 +555,9 @@ static int usb_parse_configuration(struc
> unsigned iad_num = 0;
>
> memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
> + nintf = nintf_orig = config->desc.bNumInterfaces;
> + config->desc.bNumInterfaces = 0; // Adjusted later
> +
The comment format?
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-12-13 15:30 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-12 19:25 USB: core: prevent malicious bNumInterfaces overflow Alan Stern
2017-12-13 1:27 Peter Chen
2017-12-13 7:51 Greg KH
2017-12-13 11:28 Greg KH
2017-12-13 15:30 Alan Stern
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.