From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>,
Johan Hovold <johan@kernel.org>,
syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 16/33] USB: core: Avoid WARNings for 0-length descriptor requests
Date: Fri, 9 Jul 2021 22:34:58 -0400 [thread overview]
Message-ID: <20210710023516.3172075-16-sashal@kernel.org> (raw)
In-Reply-To: <20210710023516.3172075-1-sashal@kernel.org>
From: Alan Stern <stern@rowland.harvard.edu>
[ Upstream commit 60dfe484cef45293e631b3a6e8995f1689818172 ]
The USB core has utility routines to retrieve various types of
descriptors. These routines will now provoke a WARN if they are asked
to retrieve 0 bytes (USB "receive" requests must not have zero
length), so avert this by checking the size argument at the start.
CC: Johan Hovold <johan@kernel.org>
Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20210607152307.GD1768031@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/message.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 7337d8f317aa..ff785b52da99 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -645,6 +645,9 @@ int usb_get_descriptor(struct usb_device *dev, unsigned char type,
int i;
int result;
+ if (size <= 0) /* No point in asking for no data */
+ return -EINVAL;
+
memset(buf, 0, size); /* Make sure we parse really received data */
for (i = 0; i < 3; ++i) {
@@ -693,6 +696,9 @@ static int usb_get_string(struct usb_device *dev, unsigned short langid,
int i;
int result;
+ if (size <= 0) /* No point in asking for no data */
+ return -EINVAL;
+
for (i = 0; i < 3; ++i) {
/* retry on length 0 or stall; some devices are flakey */
result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
--
2.30.2
next prev parent reply other threads:[~2021-07-10 2:37 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-10 2:34 [PATCH AUTOSEL 4.14 01/33] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 02/33] misc/libmasm/module: Fix two use after free in ibmasm_init_one Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 03/33] Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 04/33] w1: ds2438: fixing bug that would always get page0 Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 05/33] scsi: hisi_sas: Propagate errors in interrupt_init_v1_hw() Sasha Levin
2021-07-10 9:14 ` Sergey Shtylyov
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 06/33] scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 07/33] scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 08/33] scsi: core: Cap scsi_host cmd_per_lun at can_queue Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 09/33] tty: serial: 8250: serial_cs: Fix a memory leak in error handling path Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 10/33] fs/jfs: Fix missing error code in lmLogInit() Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 11/33] scsi: iscsi: Add iscsi_cls_conn refcount helpers Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 12/33] scsi: iscsi: Fix shost->max_id use Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 13/33] scsi: qedi: Fix null ref during abort handling Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 14/33] mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 15/33] s390/sclp_vt220: fix console name to match device Sasha Levin
2021-07-10 2:34 ` Sasha Levin [this message]
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 17/33] ALSA: sb: Fix potential double-free of CSP mixer elements Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 18/33] powerpc/ps3: Add dma_mask to ps3_dma_region Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 19/33] gpio: zynq: Check return value of pm_runtime_get_sync Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 20/33] ALSA: ppc: fix error return code in snd_pmac_probe() Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 21/33] selftests/powerpc: Fix "no_handler" EBB selftest Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 22/33] ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 23/33] ALSA: bebob: add support for ToneWeal FW66 Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 24/33] usb: gadget: f_hid: fix endianness issue with descriptors Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 25/33] usb: gadget: hid: fix error return code in hid_bind() Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 26/33] powerpc/boot: Fixup device-tree on little endian Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 27/33] backlight: lm3630a: Fix return code of .update_status() callback Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 28/33] ALSA: hda: Add IRQ check for platform_get_irq() Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 29/33] jfs: fix GPF in diFree Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 30/33] staging: rtl8723bs: fix macro value for 2.4Ghz only device Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 31/33] intel_th: Wait until port is in reset before programming it Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 32/33] i2c: core: Disable client irq on reboot/shutdown Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 33/33] lib/decompress_unlz4.c: correctly handle zero-padding around initrds Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210710023516.3172075-16-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).