All of lore.kernel.org
 help / color / mirror / Atom feed
From: Johan Hovold <johan@kernel.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Greg KH <greg@kroah.com>, USB mailing list <linux-usb@vger.kernel.org>
Subject: Re: [PATCH] USB: core: Check buffer length matches wLength for control transfers
Date: Thu, 27 May 2021 10:23:17 +0200	[thread overview]
Message-ID: <YK9W9X8lwqpBWNE+@hovoldconsulting.com> (raw)
In-Reply-To: <20210526153244.GA1400430@rowland.harvard.edu>

On Wed, May 26, 2021 at 11:32:44AM -0400, Alan Stern wrote:
> A type of inconsistency that can show up in control URBs is when the
> setup packet's wLength value does not match the URB's
> transfer_buffer_length field.  The two should always be equal;
> differences could lead to information leaks or undefined behavior for
> OUT transfers or overruns for IN transfers.
> 
> This patch adds a test for such mismatches during URB submission.  If
> the test fails, the submission is rejected with a -EBADR error code
> (which is not used elsewhere in the USB core), and a debugging message
> is logged for people interested in tracking down these errors.
> 
> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> CC: Johan Hovold <johan@kernel.org>

Looks good.

Reviewed-by: Johan Hovold <johan@kernel.org>

> ---
> 
> 
> [as1961]
> 
> 
>  Documentation/driver-api/usb/error-codes.rst |    3 +++
>  drivers/usb/core/urb.c                       |    6 ++++++
>  2 files changed, 9 insertions(+)
> 
> Index: usb-devel/drivers/usb/core/urb.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/urb.c
> +++ usb-devel/drivers/usb/core/urb.c
> @@ -410,6 +410,12 @@ int usb_submit_urb(struct urb *urb, gfp_
>  		dev_WARN_ONCE(&dev->dev, (usb_pipeout(urb->pipe) != is_out),
>  				"BOGUS control dir, pipe %x doesn't match bRequestType %x\n",
>  				urb->pipe, setup->bRequestType);
> +		if (le16_to_cpu(setup->wLength) != urb->transfer_buffer_length) {
> +			dev_dbg(&dev->dev, "BOGUS control len %d doesn't match transfer length %d\n",
> +					le16_to_cpu(setup->wLength),
> +					urb->transfer_buffer_length);
> +			return -EBADR;
> +		}
>  	} else {
>  		is_out = usb_endpoint_dir_out(&ep->desc);
>  	}
> Index: usb-devel/Documentation/driver-api/usb/error-codes.rst
> ===================================================================
> --- usb-devel.orig/Documentation/driver-api/usb/error-codes.rst
> +++ usb-devel/Documentation/driver-api/usb/error-codes.rst
> @@ -61,6 +61,9 @@ USB-specific:
>  			(c) requested data transfer length is invalid: negative
>  			    or too large for the host controller.
>  
> +``-EBADR``		The wLength value in a control URB's setup packet does
> +			not match the URB's transfer_buffer_length.
> +
>  ``-ENOSPC``		This request would overcommit the usb bandwidth reserved
>  			for periodic transfers (interrupt, isochronous).
>  

  reply	other threads:[~2021-05-27  8:23 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-26 15:32 Alan Stern
2021-05-27  8:23 ` Johan Hovold [this message]
2021-05-27 11:46 ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YK9W9X8lwqpBWNE+@hovoldconsulting.com \
    --to=johan@kernel.org \
    --cc=greg@kroah.com \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --subject='Re: [PATCH] USB: core: Check buffer length matches wLength for control transfers' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.