From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com
Subject: [PATCH 4.9 26/83] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
Date: Sun, 9 Jun 2019 18:41:56 +0200 [thread overview]
Message-ID: <20190609164129.800672131@linuxfoundation.org> (raw)
In-Reply-To: <20190609164127.843327870@linuxfoundation.org>
From: Alan Stern <stern@rowland.harvard.edu>
commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream.
The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the
USB core, caused by a failure to check the actual size of a BOS
descriptor. This patch adds a check to make sure the descriptor is at
least as large as it is supposed to be, so that the code doesn't
inadvertently access memory beyond the end of the allocated region
when assigning to dev->bos->desc->bNumDeviceCaps later on.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -931,8 +931,8 @@ int usb_get_bos_descriptor(struct usb_de
/* Get BOS descriptor */
ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE);
- if (ret < USB_DT_BOS_SIZE) {
- dev_err(ddev, "unable to get BOS descriptor\n");
+ if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) {
+ dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n");
if (ret >= 0)
ret = -ENOMSG;
kfree(bos);
next prev parent reply other threads:[~2019-06-09 16:54 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-09 16:41 [PATCH 4.9 00/83] 4.9.181-stable review Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 01/83] ipv6: Consider sk_bound_dev_if when binding a raw socket to an address Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 02/83] llc: fix skb leak in llc_build_and_send_ui_pkt() Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 03/83] net: fec: fix the clk mismatch in failed_reset path Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 04/83] net-gro: fix use-after-free read in napi_gro_frags() Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 05/83] net: stmmac: fix reset gpio free missing Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 06/83] usbnet: fix kernel crash after disconnect Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 07/83] tipc: Avoid copying bytes beyond the supplied data Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 08/83] bnxt_en: Fix aggregation buffer leak under OOM condition Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 09/83] ipv4/igmp: fix another memory leak in igmpv3_del_delrec() Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 10/83] ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 11/83] net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 12/83] net: mvneta: Fix err code path of probe Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 13/83] net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 14/83] crypto: vmx - ghash: do nosimd fallback manually Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 15/83] xen/pciback: Dont disable PCI_COMMAND on PCI device reset Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 16/83] Revert "tipc: fix modprobe tipc failed after switch order of device registration" Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 17/83] tipc: fix modprobe tipc failed after switch order of device registration Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 18/83] sparc64: Fix regression in non-hypervisor TLB flush xcall Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 19/83] include/linux/bitops.h: sanitize rotate primitives Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 20/83] xhci: update bounce buffer with correct sg num Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 21/83] xhci: Use %zu for printing size_t type Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 22/83] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 23/83] usb: xhci: avoid null pointer deref when bos field is NULL Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 24/83] usbip: usbip_host: fix BUG: sleeping function called from invalid context Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 25/83] usbip: usbip_host: fix stub_dev lock context imbalance regression Greg Kroah-Hartman
2019-06-09 16:41 ` Greg Kroah-Hartman [this message]
2019-06-09 16:41 ` [PATCH 4.9 27/83] USB: sisusbvga: fix oops in error path of sisusb_probe Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 28/83] USB: Add LPM quirk for Surface Dock GigE adapter Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.9 29/83] USB: rio500: refuse more than one device at a time Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 30/83] USB: rio500: fix memory leak in close after disconnect Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 31/83] media: usb: siano: Fix general protection fault in smsusb Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 32/83] media: usb: siano: Fix false-positive "uninitialized variable" warning Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 33/83] media: smsusb: better handle optional alignment Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 34/83] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 35/83] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 36/83] Btrfs: fix race updating log root item during fsync Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 37/83] powerpc/perf: Fix MMCRA corruption by bhrb_filter Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 38/83] ALSA: hda/realtek - Set default power save node to 0 Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 39/83] drm/nouveau/i2c: Disable i2c bus access after ->fini() Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 40/83] tty: serial: msm_serial: Fix XON/XOFF Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 41/83] tty: max310x: Fix external crystal register setup Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 42/83] memcg: make it work on sparse non-0-node systems Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 43/83] kernel/signal.c: trace_signal_deliver when signal_group_exit Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 44/83] docs: Fix conf.py for Sphinx 2.0 Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 45/83] staging: vc04_services: prevent integer overflow in create_pagelist() Greg Kroah-Hartman
2019-06-19 16:02 ` Martin Weinelt
2019-06-19 17:13 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 46/83] CIFS: cifs_read_allocate_pages: dont iterate through whole page array on ENOMEM Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 47/83] gcc-plugins: Fix build failures under Darwin host Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 48/83] drm/vmwgfx: Dont send drm sysfs hotplug events on initial master set Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 49/83] brcmfmac: add length checks in scheduled scan result handler Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 50/83] brcmfmac: assure SSID length from firmware is limited Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 51/83] brcmfmac: add subtype check for event handling in data path Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 52/83] binder: Replace "%p" with "%pK" for stable Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 53/83] binder: replace "%p" with "%pK" Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 54/83] fs: prevent page refcount overflow in pipe_buf_get Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 55/83] mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 56/83] mm, gup: ensure real head page is ref-counted when using hugepages Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 57/83] mm: prevent get_user_pages() from overflowing page refcount Greg Kroah-Hartman
2019-07-31 15:14 ` Vlastimil Babka
2019-06-09 16:42 ` [PATCH 4.9 58/83] mm: make page ref count overflow check tighter and more explicit Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 59/83] Revert "x86/build: Move _etext to actual end of .text" Greg Kroah-Hartman
2019-06-10 11:57 ` Willy Tarreau
2019-06-09 16:42 ` [PATCH 4.9 60/83] efi/libstub: Unify command line param parsing Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 61/83] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 62/83] ethtool: fix potential userspace buffer overflow Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 63/83] neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 64/83] net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 65/83] net: rds: fix memory leak in rds_ib_flush_mr_pool Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 66/83] pktgen: do not sleep with the thread lock held Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 67/83] ipv6: fix EFAULT on sendto with icmpv6 and hdrincl Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 68/83] ipv6: use READ_ONCE() for inet->hdrincl as in ipv4 Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 69/83] Revert "fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...")" Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 70/83] Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied" Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 71/83] rcu: locking and unlocking need to always be at least barriers Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 72/83] parisc: Use implicit space register selection for loading the coherence index of I/O pdirs Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 73/83] fuse: fallocate: fix return with locked inode Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 74/83] x86/power: Fix nosmt vs hibernation triple fault during resume Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 75/83] MIPS: pistachio: Build uImage.gz by default Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 76/83] Revert "MIPS: perf: ath79: Fix perfcount IRQ assignment" Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 77/83] genwqe: Prevent an integer overflow in the ioctl Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 78/83] drm/gma500/cdv: Check vbt config bits when detecting lvds panels Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 79/83] drm/radeon: prefer lower reference dividers Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 80/83] drm/i915: Fix I915_EXEC_RING_MASK Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 81/83] TTY: serial_core, add ->install Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 82/83] fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.9 83/83] fuse: Add FOPEN_STREAM to use stream_open() Greg Kroah-Hartman
2019-06-09 22:10 ` [PATCH 4.9 00/83] 4.9.181-stable review kernelci.org bot
2019-06-10 6:38 ` Naresh Kamboju
2019-06-10 8:50 ` Jon Hunter
2019-06-10 14:42 ` Guenter Roeck
2019-06-10 21:49 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190609164129.800672131@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).