linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>,
	Johan Hovold <johan@kernel.org>,
	syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>,
	linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 33/63] USB: core: Avoid WARNings for 0-length descriptor requests
Date: Fri,  9 Jul 2021 22:26:39 -0400	[thread overview]
Message-ID: <20210710022709.3170675-33-sashal@kernel.org> (raw)
In-Reply-To: <20210710022709.3170675-1-sashal@kernel.org>

From: Alan Stern <stern@rowland.harvard.edu>

[ Upstream commit 60dfe484cef45293e631b3a6e8995f1689818172 ]

The USB core has utility routines to retrieve various types of
descriptors.  These routines will now provoke a WARN if they are asked
to retrieve 0 bytes (USB "receive" requests must not have zero
length), so avert this by checking the size argument at the start.

CC: Johan Hovold <johan@kernel.org>
Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20210607152307.GD1768031@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/core/message.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 041c68ea329f..7ca908704777 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -647,6 +647,9 @@ int usb_get_descriptor(struct usb_device *dev, unsigned char type,
 	int i;
 	int result;
 
+	if (size <= 0)		/* No point in asking for no data */
+		return -EINVAL;
+
 	memset(buf, 0, size);	/* Make sure we parse really received data */
 
 	for (i = 0; i < 3; ++i) {
@@ -695,6 +698,9 @@ static int usb_get_string(struct usb_device *dev, unsigned short langid,
 	int i;
 	int result;
 
+	if (size <= 0)		/* No point in asking for no data */
+		return -EINVAL;
+
 	for (i = 0; i < 3; ++i) {
 		/* retry on length 0 or stall; some devices are flakey */
 		result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
-- 
2.30.2


  parent reply	other threads:[~2021-07-10  2:33 UTC|newest]

Thread overview: 63+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-10  2:26 [PATCH AUTOSEL 5.4 01/63] dmaengine: fsl-qdma: check dma_set_mask return value Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 02/63] srcu: Fix broken node geometry after early ssp init Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 03/63] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 04/63] serial: 8250: of: Check for CONFIG_SERIAL_8250_BCM7271 Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 05/63] misc/libmasm/module: Fix two use after free in ibmasm_init_one Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 06/63] misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 07/63] iio: gyro: fxa21002c: Balance runtime pm + use pm_runtime_resume_and_get() Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 08/63] iio: magn: bmc150: " Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 09/63] ALSA: usx2y: Don't call free_pages_exact() with NULL address Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 10/63] Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 11/63] w1: ds2438: fixing bug that would always get page0 Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 12/63] scsi: hisi_sas: Propagate errors in interrupt_init_v1_hw() Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 13/63] scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 14/63] scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 15/63] scsi: core: Cap scsi_host cmd_per_lun at can_queue Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 16/63] ALSA: ac97: fix PM reference leak in ac97_bus_remove() Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 17/63] tty: serial: 8250: serial_cs: Fix a memory leak in error handling path Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 18/63] scsi: scsi_dh_alua: Check for negative result value Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 19/63] fs/jfs: Fix missing error code in lmLogInit() Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 20/63] scsi: megaraid_sas: Fix resource leak in case of probe failure Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 21/63] scsi: megaraid_sas: Early detection of VD deletion through RaidMap update Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 22/63] scsi: megaraid_sas: Handle missing interrupts while re-enabling IRQs Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 23/63] scsi: iscsi: Add iscsi_cls_conn refcount helpers Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 24/63] scsi: iscsi: Fix conn use after free during resets Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 25/63] scsi: iscsi: Fix shost->max_id use Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 26/63] scsi: qedi: Fix null ref during abort handling Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 27/63] mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 28/63] mfd: cpcap: Fix cpcap dmamask not set warnings Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 29/63] ASoC: img: Fix PM reference leak in img_i2s_in_probe() Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 30/63] serial: tty: uartlite: fix console setup Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 31/63] s390/sclp_vt220: fix console name to match device Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 32/63] selftests: timers: rtcpie: skip test if default RTC device does not exist Sasha Levin
2021-07-10  2:26 ` Sasha Levin [this message]
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 34/63] ALSA: sb: Fix potential double-free of CSP mixer elements Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 35/63] powerpc/ps3: Add dma_mask to ps3_dma_region Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 36/63] iommu/arm-smmu: Fix arm_smmu_device refcount leak when arm_smmu_rpm_get fails Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 37/63] iommu/arm-smmu: Fix arm_smmu_device refcount leak in address translation Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 38/63] gpio: zynq: Check return value of pm_runtime_get_sync Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 39/63] ALSA: ppc: fix error return code in snd_pmac_probe() Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 40/63] selftests/powerpc: Fix "no_handler" EBB selftest Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 41/63] gpio: pca953x: Add support for the On Semi pca9655 Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 42/63] ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 43/63] s390/processor: always inline stap() and __load_psw_mask() Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 44/63] s390/ipl_parm: fix program check new psw handling Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 45/63] s390/mem_detect: fix diag260() " Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 46/63] s390/mem_detect: fix tprot() " Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 47/63] Input: hideep - fix the uninitialized use in hideep_nvm_unlock() Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 48/63] ALSA: bebob: add support for ToneWeal FW66 Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 49/63] ALSA: usb-audio: scarlett2: Fix 18i8 Gen 2 PCM Input count Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 50/63] ALSA: usb-audio: scarlett2: Fix data_mutex lock Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 51/63] ALSA: usb-audio: scarlett2: Fix scarlett2_*_ctl_put() return values Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 52/63] usb: gadget: f_hid: fix endianness issue with descriptors Sasha Levin
2021-07-10  2:26 ` [PATCH AUTOSEL 5.4 53/63] usb: gadget: hid: fix error return code in hid_bind() Sasha Levin
2021-07-10  2:27 ` [PATCH AUTOSEL 5.4 54/63] powerpc/boot: Fixup device-tree on little endian Sasha Levin
2021-07-10  2:27 ` [PATCH AUTOSEL 5.4 55/63] ASoC: Intel: kbl_da7219_max98357a: shrink platform_id below 20 characters Sasha Levin
2021-07-10  2:27 ` [PATCH AUTOSEL 5.4 56/63] backlight: lm3630a: Fix return code of .update_status() callback Sasha Levin
2021-07-10  2:27 ` [PATCH AUTOSEL 5.4 57/63] ALSA: hda: Add IRQ check for platform_get_irq() Sasha Levin
2021-07-10  2:27 ` [PATCH AUTOSEL 5.4 58/63] ALSA: usb-audio: scarlett2: Fix 6i6 Gen 2 line out descriptions Sasha Levin
2021-07-10  2:27 ` [PATCH AUTOSEL 5.4 59/63] jfs: fix GPF in diFree Sasha Levin
2021-07-10  2:27 ` [PATCH AUTOSEL 5.4 60/63] staging: rtl8723bs: fix macro value for 2.4Ghz only device Sasha Levin
2021-07-10  2:27 ` [PATCH AUTOSEL 5.4 61/63] intel_th: Wait until port is in reset before programming it Sasha Levin
2021-07-10  2:27 ` [PATCH AUTOSEL 5.4 62/63] i2c: core: Disable client irq on reboot/shutdown Sasha Levin
2021-07-10  2:27 ` [PATCH AUTOSEL 5.4 63/63] lib/decompress_unlz4.c: correctly handle zero-padding around initrds Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210710022709.3170675-33-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=johan@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).