From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA854C04AAF for ; Tue, 21 May 2019 08:09:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 84DE621773 for ; Tue, 21 May 2019 08:09:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558426156; bh=w4f7ru5ftlSuwrOUYG1XkV6VDhHkonFdzkYtQgBRtqg=; h=Subject:To:From:Date:List-ID:From; b=q8lR2Ydn7MZIb9ft8awUjAGn7qZ/iWOqMXOYvdmwHdSNp/xDI2VHUQVVEznJrBODU hROkL77Zz4JU+p7OR14MPRs8Ux8FPwmJGqGrmANCZibBhU/1vIftlqsHV5gPfsUB7x qsHeuN2Nz5QjBUPHezFzJsMkUCVQjun6wC6+jtJk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726941AbfEUIJQ (ORCPT ); Tue, 21 May 2019 04:09:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:33796 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726059AbfEUIJQ (ORCPT ); Tue, 21 May 2019 04:09:16 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F0F5C2173E; Tue, 21 May 2019 08:09:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558426155; bh=w4f7ru5ftlSuwrOUYG1XkV6VDhHkonFdzkYtQgBRtqg=; h=Subject:To:From:Date:From; b=JsI/JkfQIimTuQ6f4e865dZ1hMQ0IBKOlBIkhdbX1oywII9WnZ0EuGfLXp41bP/fp C+lxFCtpfiIDZ3csy25yVbt4fEDP9b+RxFcD7W+PWPDkg8QFRnMXcXcZaGwMsxiSw0 oGK0grc4qFYE2jRMNBSSYdlU4nQwaCODjYqA3JwA= Subject: patch "USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor" added to usb-linus To: stern@rowland.harvard.edu, gregkh@linuxfoundation.org, stable@vger.kernel.org From: Date: Tue, 21 May 2019 10:09:13 +0200 Message-ID: <1558426153192227@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org This is a note to let you know that I've just added the patch titled USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From a03ff54460817c76105f81f3aa8ef655759ccc9a Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Mon, 13 May 2019 13:14:29 -0400 Subject: USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the USB core, caused by a failure to check the actual size of a BOS descriptor. This patch adds a check to make sure the descriptor is at least as large as it is supposed to be, so that the code doesn't inadvertently access memory beyond the end of the allocated region when assigning to dev->bos->desc->bNumDeviceCaps later on. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com CC: Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/config.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 20ff036b4c22..9d6cb709ca7b 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -932,8 +932,8 @@ int usb_get_bos_descriptor(struct usb_device *dev) /* Get BOS descriptor */ ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE); - if (ret < USB_DT_BOS_SIZE) { - dev_err(ddev, "unable to get BOS descriptor\n"); + if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) { + dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n"); if (ret >= 0) ret = -ENOMSG; kfree(bos); -- 2.21.0