From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hui Peng <benquike@gmail.com>,
Mathias Payer <mathias.payer@nebelwelt.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
stable <stable@kernel.org>
Subject: [PATCH 4.4 72/91] USB: check usb_get_extra_descriptor for proper size
Date: Tue, 11 Dec 2018 16:41:31 +0100 [thread overview]
Message-ID: <20181211151612.247415249@linuxfoundation.org> (raw)
In-Reply-To: <20181211151606.026852373@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Payer <mathias.payer@nebelwelt.net>
commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.
When reading an extra descriptor, we need to properly check the minimum
and maximum size allowed, to prevent from invalid data being sent by a
device.
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 2 +-
drivers/usb/core/usb.c | 6 +++---
drivers/usb/host/hwa-hc.c | 2 +-
include/linux/usb.h | 4 ++--
4 files changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2211,7 +2211,7 @@ static int usb_enumerate_device_otg(stru
/* descriptor may appear anywhere in config */
err = __usb_get_extra_descriptor(udev->rawdescriptors[0],
le16_to_cpu(udev->config[0].desc.wTotalLength),
- USB_DT_OTG, (void **) &desc);
+ USB_DT_OTG, (void **) &desc, sizeof(*desc));
if (err || !(desc->bmAttributes & USB_OTG_HNP))
return 0;
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -678,14 +678,14 @@ EXPORT_SYMBOL_GPL(usb_get_current_frame_
*/
int __usb_get_extra_descriptor(char *buffer, unsigned size,
- unsigned char type, void **ptr)
+ unsigned char type, void **ptr, size_t minsize)
{
struct usb_descriptor_header *header;
while (size >= sizeof(struct usb_descriptor_header)) {
header = (struct usb_descriptor_header *)buffer;
- if (header->bLength < 2) {
+ if (header->bLength < 2 || header->bLength > size) {
printk(KERN_ERR
"%s: bogus descriptor, type %d length %d\n",
usbcore_name,
@@ -694,7 +694,7 @@ int __usb_get_extra_descriptor(char *buf
return -1;
}
- if (header->bDescriptorType == type) {
+ if (header->bDescriptorType == type && header->bLength >= minsize) {
*ptr = header;
return 0;
}
--- a/drivers/usb/host/hwa-hc.c
+++ b/drivers/usb/host/hwa-hc.c
@@ -654,7 +654,7 @@ static int hwahc_security_create(struct
top = itr + itr_size;
result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index],
le16_to_cpu(usb_dev->actconfig->desc.wTotalLength),
- USB_DT_SECURITY, (void **) &secd);
+ USB_DT_SECURITY, (void **) &secd, sizeof(*secd));
if (result == -1) {
dev_warn(dev, "BUG? WUSB host has no security descriptors\n");
return 0;
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -334,11 +334,11 @@ struct usb_host_bos {
};
int __usb_get_extra_descriptor(char *buffer, unsigned size,
- unsigned char type, void **ptr);
+ unsigned char type, void **ptr, size_t min);
#define usb_get_extra_descriptor(ifpoint, type, ptr) \
__usb_get_extra_descriptor((ifpoint)->extra, \
(ifpoint)->extralen, \
- type, (void **)ptr)
+ type, (void **)ptr, sizeof(**(ptr)))
/* ----------------------------------------------------------------------- */
next prev parent reply other threads:[~2018-12-11 16:16 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-11 15:40 [PATCH 4.4 00/91] 4.4.167-stable review Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 01/91] media: em28xx: Fix use-after-free when disconnecting Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 02/91] Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()" Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 03/91] rapidio/rionet: do not free skb before reading its length Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 04/91] s390/qeth: fix length check in SNMP processing Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 05/91] usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 06/91] kvm: mmu: Fix race in emulated page table writes Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 07/91] xtensa: enable coprocessors that are being flushed Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 08/91] xtensa: fix coprocessor context offset definitions Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 09/91] Btrfs: ensure path name is null terminated at btrfs_control_ioctl Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 10/91] ALSA: wss: Fix invalid snd_free_pages() at error path Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 11/91] ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 12/91] ALSA: control: Fix race between adding and removing a user element Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 13/91] ALSA: sparc: Fix invalid snd_free_pages() at error path Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 14/91] ext2: fix potential use after free Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 15/91] dmaengine: at_hdmac: fix memory leak in at_dma_xlate() Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 16/91] dmaengine: at_hdmac: fix module unloading Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 17/91] btrfs: release metadata before running delayed refs Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 18/91] USB: usb-storage: Add new IDs to ums-realtek Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 19/91] usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 20/91] misc: mic/scif: fix copy-paste error in scif_create_remote_lookup Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 21/91] Kbuild: suppress packed-not-aligned warning for default setting only Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 22/91] exec: avoid gcc-8 warning for get_task_comm Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 23/91] disable stringop truncation warnings for now Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 24/91] kobject: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 25/91] unifdef: use memcpy instead of strncpy Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 26/91] kernfs: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 27/91] ip_tunnel: Fix name string concatenate in __ip_tunnel_create() Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 28/91] drm: gma500: fix logic error Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 29/91] scsi: bfa: convert to strlcpy/strlcat Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 30/91] staging: rts5208: fix gcc-8 logic error warning Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 31/91] kdb: use memmove instead of overlapping memcpy Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 32/91] iser: set sector for ambiguous mr status errors Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 33/91] uprobes: Fix handle_swbp() vs. unregister() + register() race once more Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 34/91] MIPS: ralink: Fix mt7620 nd_sd pinmux Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 35/91] mips: fix mips_get_syscall_arg o32 check Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 36/91] drm/ast: Fix incorrect free on ioregs Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 37/91] scsi: scsi_devinfo: cleanly zero-pad devinfo strings Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 38/91] ALSA: trident: Suppress gcc string warning Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 39/91] scsi: csiostor: Avoid content leaks and casts Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 40/91] kgdboc: Fix restrict error Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 41/91] kgdboc: Fix warning with module build Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 42/91] leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 43/91] leds: turn off the LED and wait for completion on unregistering LED class device Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 44/91] leds: leds-gpio: Fix return value check in create_gpio_led() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 45/91] Input: xpad - quirk all PDP Xbox One gamepads Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 46/91] Input: matrix_keypad - check for errors from of_get_named_gpio() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 47/91] Input: elan_i2c - add ELAN0620 to the ACPI table Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 48/91] Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 49/91] Input: elan_i2c - add support for ELAN0621 touchpad Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 50/91] btrfs: Always try all copies when reading extent buffers Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 51/91] Btrfs: fix use-after-free when dumping free space Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 52/91] ARC: change defconfig defaults to ARCv2 Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 53/91] arc: [devboards] Add support of NFSv3 ACL Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 54/91] mm: cleancache: fix corruption on missed inode invalidation Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 55/91] mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,MLOCK_ONFAULT) Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 56/91] usb: gadget: dummy: fix nonsensical comparisons Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 57/91] iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 58/91] iommu/ipmmu-vmsa: Fix crash on early domain free Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 59/91] can: rcar_can: Fix erroneous registration Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 60/91] batman-adv: Expand merged fragment buffer for full packet Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 61/91] bnx2x: Assign unique DMAE channel number for FW DMAE transactions Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 62/91] qed: Fix PTT leak in qed_drain() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 63/91] qed: Fix reading wrong value in loop condition Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 64/91] net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 65/91] net/mlx4_core: Fix uninitialized variable compilation warning Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 66/91] net/mlx4: Fix UBSAN warning of signed integer overflow Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 67/91] net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 68/91] iommu/vt-d: Use memunmap to free memremap Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 69/91] net: amd: add missing of_node_put() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 70/91] usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 71/91] usb: appledisplay: Add 27" Apple Cinema Display Greg Kroah-Hartman
2018-12-11 15:41 ` Greg Kroah-Hartman [this message]
2018-12-11 15:41 ` [PATCH 4.4 73/91] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 74/91] ALSA: hda: Add support for AMD Stoney Ridge Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 75/91] ALSA: pcm: Fix starvation on down_write_nonblock() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 76/91] ALSA: pcm: Call snd_pcm_unlink() conditionally at closing Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 77/91] ALSA: pcm: Fix interval evaluation with openmin/max Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 78/91] virtio/s390: avoid race on vcdev->config Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 79/91] virtio/s390: fix race in ccw_io_helper() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 80/91] SUNRPC: Fix leak of krb5p encode pages Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 81/91] dmaengine: cppi41: delete channel from pending list when stop channel Greg Kroah-Hartman
2018-12-12 16:40 ` Bin Liu
2018-12-11 15:41 ` [PATCH 4.4 82/91] xhci: Prevent U1/U2 link pm states if exit latency is too long Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 83/91] Staging: lustre: remove two build warnings Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 84/91] cifs: Fix separator when building path from dentry Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 85/91] tty: serial: 8250_mtk: always resume the device in probe Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 86/91] kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 87/91] mac80211_hwsim: Timer should be initialized before device registered Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 88/91] mac80211: Clear beacon_int in ieee80211_do_stop Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 89/91] mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 90/91] mac80211: fix reordering of buffered broadcast packets Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 91/91] mac80211: ignore NullFunc frames in the duplicate detection Greg Kroah-Hartman
2018-12-11 21:53 ` [PATCH 4.4 00/91] 4.4.167-stable review kernelci.org bot
2018-12-11 23:56 ` shuah
2018-12-12 7:05 ` Naresh Kamboju
2018-12-12 14:24 ` Guenter Roeck
2018-12-12 17:29 ` Greg Kroah-Hartman
2018-12-12 19:15 ` Harsh Shandilya
2018-12-13 8:04 ` Greg Kroah-Hartman
2018-12-12 22:20 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181211151612.247415249@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=benquike@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathias.payer@nebelwelt.net \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).