Phil and I found out a problem with commit:
7e860a6e ("cdc-acm: add sanity checks")
It added some sanity checks to ignore potential garbage in CDC headers but
also introduced a potential infinite loop. This can happen at the first
loop iteration (elength = 0 in that case) if the description isn't a
DT_CS_INTERFACE or later if 'buffer[0]' is zero.
It should also be noted that the wrong length was being added to 'buffer'
in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
assigned after that check in the loop.
A specially crafted USB device could be used to trigger this infinite loop.
Fixes: 7e860a6e ("cdc-acm: add sanity checks")
Signed-off-by: Phil Turnbull <[email protected]>
Signed-off-by: Quentin Casasnovas <[email protected]>
CC: Oliver Neukum <[email protected]>
CC: Adam Lee <[email protected]>
---
drivers/usb/class/cdc-acm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 6836177..1ac4587 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1133,11 +1133,12 @@ static int acm_probe(struct usb_interface *intf,
}
while (buflen > 0) {
+ if ((elength = buffer[0]) == 0)
+ break;
if (buffer[1] != USB_DT_CS_INTERFACE) {
dev_err(&intf->dev, "skipping garbage\n");
goto next_desc;
}
- elength = buffer[0];
switch (buffer[2]) {
case USB_CDC_UNION_TYPE: /* we've found it */
--
2.0.5
On Mon, Apr 13, 2015 at 05:24:04PM +0200, Quentin Casasnovas wrote:
> Phil and I found out a problem with commit:
>
> 7e860a6e ("cdc-acm: add sanity checks")
>
> It added some sanity checks to ignore potential garbage in CDC headers but
> also introduced a potential infinite loop. This can happen at the first
> loop iteration (elength = 0 in that case) if the description isn't a
> DT_CS_INTERFACE or later if 'buffer[0]' is zero.
>
> It should also be noted that the wrong length was being added to 'buffer'
> in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
> assigned after that check in the loop.
>
> A specially crafted USB device could be used to trigger this infinite loop.
Yes, "elength = buffer[0]" should be moved to the front of
USB_DT_CS_INTERFACE check, ACK this part.
But I don't know in what case the buffer[0] could be zero, if it
happens, better to set elength 1 then goto next_desc? (I'm not a
maintainer, pleas also consider others' opinion)
--
Adam Lee
http://adam8157.info
Adding Greg on CC as suggested by Oliver.
On Mon, Apr 13, 2015 at 05:24:04PM +0200, Quentin Casasnovas wrote:
> Phil and I found out a problem with commit:
>
> 7e860a6e ("cdc-acm: add sanity checks")
>
> It added some sanity checks to ignore potential garbage in CDC headers but
> also introduced a potential infinite loop. This can happen at the first
> loop iteration (elength = 0 in that case) if the description isn't a
> DT_CS_INTERFACE or later if 'buffer[0]' is zero.
>
> It should also be noted that the wrong length was being added to 'buffer'
> in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
> assigned after that check in the loop.
>
> A specially crafted USB device could be used to trigger this infinite loop.
>
> Fixes: 7e860a6e ("cdc-acm: add sanity checks")
> Signed-off-by: Phil Turnbull <[email protected]>
> Signed-off-by: Quentin Casasnovas <[email protected]>
> CC: Oliver Neukum <[email protected]>
> CC: Adam Lee <[email protected]>
> ---
> drivers/usb/class/cdc-acm.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> index 6836177..1ac4587 100644
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -1133,11 +1133,12 @@ static int acm_probe(struct usb_interface *intf,
> }
>
> while (buflen > 0) {
> + if ((elength = buffer[0]) == 0)
> + break;
> if (buffer[1] != USB_DT_CS_INTERFACE) {
> dev_err(&intf->dev, "skipping garbage\n");
> goto next_desc;
> }
> - elength = buffer[0];
>
> switch (buffer[2]) {
> case USB_CDC_UNION_TYPE: /* we've found it */
> --
> 2.0.5
>
On Mon, Apr 13, 2015 at 11:48:27PM +0800, Adam Lee wrote:
> On Mon, Apr 13, 2015 at 05:24:04PM +0200, Quentin Casasnovas wrote:
> > Phil and I found out a problem with commit:
> >
> > 7e860a6e ("cdc-acm: add sanity checks")
> >
> > It added some sanity checks to ignore potential garbage in CDC headers but
> > also introduced a potential infinite loop. This can happen at the first
> > loop iteration (elength = 0 in that case) if the description isn't a
> > DT_CS_INTERFACE or later if 'buffer[0]' is zero.
> >
> > It should also be noted that the wrong length was being added to 'buffer'
> > in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
> > assigned after that check in the loop.
> >
> > A specially crafted USB device could be used to trigger this infinite loop.
>
> Yes, "elength = buffer[0]" should be moved to the front of
> USB_DT_CS_INTERFACE check, ACK this part.
>
> But I don't know in what case the buffer[0] could be zero, if it
> happens, better to set elength 1 then goto next_desc? (I'm not a
> maintainer, pleas also consider others' opinion)
>
Hi Adam,
I'm happy to change it as you suggest, though at that point we'll probably
be trying to parse garbage anyway.
If nobody had a different opinion in the meantime, I'll send a v2 tomorrow.
Thanks for the review :)
Quentin
Hello.
On 04/13/2015 06:24 PM, Quentin Casasnovas wrote:
> Phil and I found out a problem with commit:
> 7e860a6e ("cdc-acm: add sanity checks")
> It added some sanity checks to ignore potential garbage in CDC headers but
> also introduced a potential infinite loop. This can happen at the first
> loop iteration (elength = 0 in that case) if the description isn't a
> DT_CS_INTERFACE or later if 'buffer[0]' is zero.
> It should also be noted that the wrong length was being added to 'buffer'
> in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
> assigned after that check in the loop.
> A specially crafted USB device could be used to trigger this infinite loop.
> Fixes: 7e860a6e ("cdc-acm: add sanity checks")
12-digit SHA1 hash is required here.
> Signed-off-by: Phil Turnbull <[email protected]>
> Signed-off-by: Quentin Casasnovas <[email protected]>
> CC: Oliver Neukum <[email protected]>
> CC: Adam Lee <[email protected]>
> ---
> drivers/usb/class/cdc-acm.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> index 6836177..1ac4587 100644
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -1133,11 +1133,12 @@ static int acm_probe(struct usb_interface *intf,
> }
>
> while (buflen > 0) {
> + if ((elength = buffer[0]) == 0)
Please run your patches thru scripts/checkpatch.pl. Assignments in the
*if* operator are not allowed.
[...]
WBR, Sergei
Phil and I found out a problem with commit:
7e860a6e7aa6 ("cdc-acm: add sanity checks")
It added some sanity checks to ignore potential garbage in CDC headers but
also introduced a potential infinite loop. This can happen at the first
loop iteration (elength = 0 in that case) if the description isn't a
DT_CS_INTERFACE or later if 'buffer[0]' is zero.
It should also be noted that the wrong length was being added to 'buffer'
in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
assigned after that check in the loop.
A specially crafted USB device could be used to trigger this infinite loop.
v2:
- Use 12-digits sha1 to reference the offending commit.
- Do not break from the loop and try next byte instead.
- Move the assignment outside the 'if'.
- Add a debug print.
Fixes: 7e860a6e7aa6 ("cdc-acm: add sanity checks")
Signed-off-by: Phil Turnbull <[email protected]>
Signed-off-by: Quentin Casasnovas <[email protected]>
CC: Sergei Shtylyov <[email protected]>
CC: Oliver Neukum <[email protected]>
CC: Adam Lee <[email protected]>
CC: <[email protected]>
---
drivers/usb/class/cdc-acm.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 6836177..220c0fd 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1133,11 +1133,16 @@ static int acm_probe(struct usb_interface *intf,
}
while (buflen > 0) {
+ elength = buffer[0];
+ if (!elength) {
+ dev_err(&intf->dev, "skipping garbage byte\n");
+ elength = 1;
+ goto next_desc;
+ }
if (buffer[1] != USB_DT_CS_INTERFACE) {
dev_err(&intf->dev, "skipping garbage\n");
goto next_desc;
}
- elength = buffer[0];
switch (buffer[2]) {
case USB_CDC_UNION_TYPE: /* we've found it */
--
2.0.5
Hello.
On 4/13/2015 7:20 PM, Sergei Shtylyov wrote:
>> Phil and I found out a problem with commit:
>> 7e860a6e ("cdc-acm: add sanity checks")
>> It added some sanity checks to ignore potential garbage in CDC headers but
>> also introduced a potential infinite loop. This can happen at the first
>> loop iteration (elength = 0 in that case) if the description isn't a
>> DT_CS_INTERFACE or later if 'buffer[0]' is zero.
>
>> It should also be noted that the wrong length was being added to 'buffer'
>> in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was
>> assigned after that check in the loop.
>> A specially crafted USB device could be used to trigger this infinite loop.
>> Fixes: 7e860a6e ("cdc-acm: add sanity checks")
> 12-digit SHA1 hash is required here.
>> Signed-off-by: Phil Turnbull <[email protected]>
>> Signed-off-by: Quentin Casasnovas <[email protected]>
>> CC: Oliver Neukum <[email protected]>
>> CC: Adam Lee <[email protected]>
>> ---
>> drivers/usb/class/cdc-acm.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
>> index 6836177..1ac4587 100644
>> --- a/drivers/usb/class/cdc-acm.c
>> +++ b/drivers/usb/class/cdc-acm.c
>> @@ -1133,11 +1133,12 @@ static int acm_probe(struct usb_interface *intf,
>> }
>>
>> while (buflen > 0) {
>> + if ((elength = buffer[0]) == 0)
> Please run your patches thru scripts/checkpatch.pl. Assignments in the
> *if* operator are not allowed.
s/operator/statement/, of course. :-)
> [...]
WBR, Sergei
On Tue, Apr 14, 2015 at 11:25:43AM +0200, Quentin Casasnovas wrote:
> Phil and I found out a problem with commit:
>
> 7e860a6e7aa6 ("cdc-acm: add sanity checks")
>
Any comment on v2?
Thanks,
Quentin
On Mon, Apr 20, 2015 at 01:54:56PM +0200, Quentin Casasnovas wrote:
> On Tue, Apr 14, 2015 at 11:25:43AM +0200, Quentin Casasnovas wrote:
> > Phil and I found out a problem with commit:
> >
> > 7e860a6e7aa6 ("cdc-acm: add sanity checks")
> >
>
> Any comment on v2?
I can't do anything with any patches until 4.1-rc1 is released so please
just be patient.