linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Hui Peng <benquike@gmail.com>,
	Mathias Payer <mathias.payer@nebelwelt.net>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	stable <stable@kernel.org>
Subject: [PATCH 4.4 72/91] USB: check usb_get_extra_descriptor for proper size
Date: Tue, 11 Dec 2018 16:41:31 +0100	[thread overview]
Message-ID: <20181211151612.247415249@linuxfoundation.org> (raw)
In-Reply-To: <20181211151606.026852373@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Payer <mathias.payer@nebelwelt.net>

commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.

When reading an extra descriptor, we need to properly check the minimum
and maximum size allowed, to prevent from invalid data being sent by a
device.

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/hub.c    |    2 +-
 drivers/usb/core/usb.c    |    6 +++---
 drivers/usb/host/hwa-hc.c |    2 +-
 include/linux/usb.h       |    4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2211,7 +2211,7 @@ static int usb_enumerate_device_otg(stru
 		/* descriptor may appear anywhere in config */
 		err = __usb_get_extra_descriptor(udev->rawdescriptors[0],
 				le16_to_cpu(udev->config[0].desc.wTotalLength),
-				USB_DT_OTG, (void **) &desc);
+				USB_DT_OTG, (void **) &desc, sizeof(*desc));
 		if (err || !(desc->bmAttributes & USB_OTG_HNP))
 			return 0;
 
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -678,14 +678,14 @@ EXPORT_SYMBOL_GPL(usb_get_current_frame_
  */
 
 int __usb_get_extra_descriptor(char *buffer, unsigned size,
-			       unsigned char type, void **ptr)
+			       unsigned char type, void **ptr, size_t minsize)
 {
 	struct usb_descriptor_header *header;
 
 	while (size >= sizeof(struct usb_descriptor_header)) {
 		header = (struct usb_descriptor_header *)buffer;
 
-		if (header->bLength < 2) {
+		if (header->bLength < 2 || header->bLength > size) {
 			printk(KERN_ERR
 				"%s: bogus descriptor, type %d length %d\n",
 				usbcore_name,
@@ -694,7 +694,7 @@ int __usb_get_extra_descriptor(char *buf
 			return -1;
 		}
 
-		if (header->bDescriptorType == type) {
+		if (header->bDescriptorType == type && header->bLength >= minsize) {
 			*ptr = header;
 			return 0;
 		}
--- a/drivers/usb/host/hwa-hc.c
+++ b/drivers/usb/host/hwa-hc.c
@@ -654,7 +654,7 @@ static int hwahc_security_create(struct
 	top = itr + itr_size;
 	result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index],
 			le16_to_cpu(usb_dev->actconfig->desc.wTotalLength),
-			USB_DT_SECURITY, (void **) &secd);
+			USB_DT_SECURITY, (void **) &secd, sizeof(*secd));
 	if (result == -1) {
 		dev_warn(dev, "BUG? WUSB host has no security descriptors\n");
 		return 0;
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -334,11 +334,11 @@ struct usb_host_bos {
 };
 
 int __usb_get_extra_descriptor(char *buffer, unsigned size,
-	unsigned char type, void **ptr);
+	unsigned char type, void **ptr, size_t min);
 #define usb_get_extra_descriptor(ifpoint, type, ptr) \
 				__usb_get_extra_descriptor((ifpoint)->extra, \
 				(ifpoint)->extralen, \
-				type, (void **)ptr)
+				type, (void **)ptr, sizeof(**(ptr)))
 
 /* ----------------------------------------------------------------------- */
 



  parent reply	other threads:[~2018-12-11 16:16 UTC|newest]

Thread overview: 101+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-11 15:40 [PATCH 4.4 00/91] 4.4.167-stable review Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 01/91] media: em28xx: Fix use-after-free when disconnecting Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 02/91] Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()" Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 03/91] rapidio/rionet: do not free skb before reading its length Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 04/91] s390/qeth: fix length check in SNMP processing Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 05/91] usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 06/91] kvm: mmu: Fix race in emulated page table writes Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 07/91] xtensa: enable coprocessors that are being flushed Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 08/91] xtensa: fix coprocessor context offset definitions Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 09/91] Btrfs: ensure path name is null terminated at btrfs_control_ioctl Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 10/91] ALSA: wss: Fix invalid snd_free_pages() at error path Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 11/91] ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 12/91] ALSA: control: Fix race between adding and removing a user element Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 13/91] ALSA: sparc: Fix invalid snd_free_pages() at error path Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 14/91] ext2: fix potential use after free Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 15/91] dmaengine: at_hdmac: fix memory leak in at_dma_xlate() Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 16/91] dmaengine: at_hdmac: fix module unloading Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 17/91] btrfs: release metadata before running delayed refs Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 18/91] USB: usb-storage: Add new IDs to ums-realtek Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 19/91] usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 20/91] misc: mic/scif: fix copy-paste error in scif_create_remote_lookup Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 21/91] Kbuild: suppress packed-not-aligned warning for default setting only Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 22/91] exec: avoid gcc-8 warning for get_task_comm Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 23/91] disable stringop truncation warnings for now Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 24/91] kobject: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 25/91] unifdef: use memcpy instead of strncpy Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 26/91] kernfs: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 27/91] ip_tunnel: Fix name string concatenate in __ip_tunnel_create() Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 28/91] drm: gma500: fix logic error Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 29/91] scsi: bfa: convert to strlcpy/strlcat Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 30/91] staging: rts5208: fix gcc-8 logic error warning Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 31/91] kdb: use memmove instead of overlapping memcpy Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 32/91] iser: set sector for ambiguous mr status errors Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 33/91] uprobes: Fix handle_swbp() vs. unregister() + register() race once more Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 34/91] MIPS: ralink: Fix mt7620 nd_sd pinmux Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 35/91] mips: fix mips_get_syscall_arg o32 check Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 36/91] drm/ast: Fix incorrect free on ioregs Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 37/91] scsi: scsi_devinfo: cleanly zero-pad devinfo strings Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 38/91] ALSA: trident: Suppress gcc string warning Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 39/91] scsi: csiostor: Avoid content leaks and casts Greg Kroah-Hartman
2018-12-11 15:40 ` [PATCH 4.4 40/91] kgdboc: Fix restrict error Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 41/91] kgdboc: Fix warning with module build Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 42/91] leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 43/91] leds: turn off the LED and wait for completion on unregistering LED class device Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 44/91] leds: leds-gpio: Fix return value check in create_gpio_led() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 45/91] Input: xpad - quirk all PDP Xbox One gamepads Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 46/91] Input: matrix_keypad - check for errors from of_get_named_gpio() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 47/91] Input: elan_i2c - add ELAN0620 to the ACPI table Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 48/91] Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 49/91] Input: elan_i2c - add support for ELAN0621 touchpad Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 50/91] btrfs: Always try all copies when reading extent buffers Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 51/91] Btrfs: fix use-after-free when dumping free space Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 52/91] ARC: change defconfig defaults to ARCv2 Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 53/91] arc: [devboards] Add support of NFSv3 ACL Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 54/91] mm: cleancache: fix corruption on missed inode invalidation Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 55/91] mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,MLOCK_ONFAULT) Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 56/91] usb: gadget: dummy: fix nonsensical comparisons Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 57/91] iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 58/91] iommu/ipmmu-vmsa: Fix crash on early domain free Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 59/91] can: rcar_can: Fix erroneous registration Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 60/91] batman-adv: Expand merged fragment buffer for full packet Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 61/91] bnx2x: Assign unique DMAE channel number for FW DMAE transactions Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 62/91] qed: Fix PTT leak in qed_drain() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 63/91] qed: Fix reading wrong value in loop condition Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 64/91] net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 65/91] net/mlx4_core: Fix uninitialized variable compilation warning Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 66/91] net/mlx4: Fix UBSAN warning of signed integer overflow Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 67/91] net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 68/91] iommu/vt-d: Use memunmap to free memremap Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 69/91] net: amd: add missing of_node_put() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 70/91] usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 71/91] usb: appledisplay: Add 27" Apple Cinema Display Greg Kroah-Hartman
2018-12-11 15:41 ` Greg Kroah-Hartman [this message]
2018-12-11 15:41 ` [PATCH 4.4 73/91] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 74/91] ALSA: hda: Add support for AMD Stoney Ridge Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 75/91] ALSA: pcm: Fix starvation on down_write_nonblock() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 76/91] ALSA: pcm: Call snd_pcm_unlink() conditionally at closing Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 77/91] ALSA: pcm: Fix interval evaluation with openmin/max Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 78/91] virtio/s390: avoid race on vcdev->config Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 79/91] virtio/s390: fix race in ccw_io_helper() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 80/91] SUNRPC: Fix leak of krb5p encode pages Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 81/91] dmaengine: cppi41: delete channel from pending list when stop channel Greg Kroah-Hartman
2018-12-12 16:40   ` Bin Liu
2018-12-11 15:41 ` [PATCH 4.4 82/91] xhci: Prevent U1/U2 link pm states if exit latency is too long Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 83/91] Staging: lustre: remove two build warnings Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 84/91] cifs: Fix separator when building path from dentry Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 85/91] tty: serial: 8250_mtk: always resume the device in probe Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 86/91] kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 87/91] mac80211_hwsim: Timer should be initialized before device registered Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 88/91] mac80211: Clear beacon_int in ieee80211_do_stop Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 89/91] mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 90/91] mac80211: fix reordering of buffered broadcast packets Greg Kroah-Hartman
2018-12-11 15:41 ` [PATCH 4.4 91/91] mac80211: ignore NullFunc frames in the duplicate detection Greg Kroah-Hartman
2018-12-11 21:53 ` [PATCH 4.4 00/91] 4.4.167-stable review kernelci.org bot
2018-12-11 23:56 ` shuah
2018-12-12  7:05 ` Naresh Kamboju
2018-12-12 14:24 ` Guenter Roeck
2018-12-12 17:29   ` Greg Kroah-Hartman
2018-12-12 19:15 ` Harsh Shandilya
2018-12-13  8:04   ` Greg Kroah-Hartman
2018-12-12 22:20 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181211151612.247415249@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=benquike@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mathias.payer@nebelwelt.net \
    --cc=stable@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).