Received: by 10.223.176.46 with SMTP id f43csp2491823wra; Thu, 25 Jan 2018 10:39:07 -0800 (PST) X-Google-Smtp-Source: AH8x225g+DV1hmMDP/MoAxNAPMqiqL/+b7DuS3HiIYM4VqnTs6+p5L0OmvlIkDlQcN7xvmIJYFHH X-Received: by 10.99.65.65 with SMTP id o62mr10025508pga.392.1516905546807; Thu, 25 Jan 2018 10:39:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516905546; cv=none; d=google.com; s=arc-20160816; b=0O/FhhkV6Qi0ZQNJXnOPBNZLNrNO7p0yme2+MMVNNqhYBYELGc9Mkk0h+2gm25dBA4 iJOBfnO0a4ecnvQQxs2WKtxN8hGMMkumxk9mzJcByD3UzNn7JwS1kaCAAFVwhLo63EgT 1vmCmYfyY+Fve+xudy0eiWbhZWkbG9nSCG7eqhKmJFhLQAoYASObxmfCA4vYsTKBcGkc x7mzkSwCCvG/ylmOr4qysgVozJNgbSveYl04g/0/1LZPzWNzbH6kFKimyyCncjU/ZnHh nMe+BBhd9yuNV/Rscv0mv+S7vFkrxH/lOoObelzC79FWiXu9PiMXXATTNGTeeF2p9RiY AveQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=P4QCwPCuPDCvUwK3KnBEWwt77G/oNzPJKUicg5/CtZU=; b=xmpAdlSmPxr3Q05hskNCzsVDEhO8JDqkyviCDpuqfViPEShCbMlzdCWm0W1bYVoMfq 4jQeufFnbq9OUkvWM/HFojtYDJVsILOe5C0XU3fD9CR7NKDOmD5Vjs0YmqfMugqOPw8e zseRB7603AbYfmH0CsVvBoMET5SjfGldk8q2No3FJn3tFUe+MYCIGCR/Bu1/nJQ0/4lh 6pEu96ote50n4Cqy82RdxZrKpKhjSemiGB6FNmaL6ETbK+C48rFcKbYsYRTsmSJ+Ovyg ojx9zRnvdfkRSKmMAmkX0xwoQ+o92k07XtZxBzOcDozlnFOlunT96kHoEA6sXQuZqbk2 dC0w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q21si1869683pgn.250.2018.01.25.10.38.51; Thu, 25 Jan 2018 10:39:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751297AbeAYSiW (ORCPT + 99 others); Thu, 25 Jan 2018 13:38:22 -0500 Received: from osg.samsung.com ([64.30.133.232]:52833 "EHLO osg.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750994AbeAYSiS (ORCPT ); Thu, 25 Jan 2018 13:38:18 -0500 Received: from localhost (localhost [127.0.0.1]) by osg.samsung.com (Postfix) with ESMTP id 7975636C09; Thu, 25 Jan 2018 10:38:18 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at dev.s-opensource.com X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References" Received: from osg.samsung.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3HnZsBhnltDo; Thu, 25 Jan 2018 10:38:13 -0800 (PST) Received: from localhost.localdomain (c-24-9-64-241.hsd1.co.comcast.net [24.9.64.241]) by osg.samsung.com (Postfix) with ESMTPSA id 56C0E36BD0; Thu, 25 Jan 2018 10:38:08 -0800 (PST) From: Shuah Khan To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org Cc: Shuah Khan , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 4.4 3/4] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input Date: Thu, 25 Jan 2018 11:37:43 -0700 Message-Id: X-Mailer: git-send-email 2.14.1 In-Reply-To: References: In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Upstream commit c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") Harden CMD_SUBMIT path to handle malicious input that could trigger large memory allocations. Add checks to validate transfer_buffer_length and number_of_packets to protect against bad input requesting for unbounded memory allocations. Validate early in get_pipe() and return failure. Reported-by: Secunia Research Cc: stable Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman --- drivers/usb/usbip/stub_rx.c | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c index e617c90661b4..56cacb68040c 100644 --- a/drivers/usb/usbip/stub_rx.c +++ b/drivers/usb/usbip/stub_rx.c @@ -338,11 +338,13 @@ static struct stub_priv *stub_priv_alloc(struct stub_device *sdev, return priv; } -static int get_pipe(struct stub_device *sdev, int epnum, int dir) +static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) { struct usb_device *udev = sdev->udev; struct usb_host_endpoint *ep; struct usb_endpoint_descriptor *epd = NULL; + int epnum = pdu->base.ep; + int dir = pdu->base.direction; if (epnum < 0 || epnum > 15) goto err_ret; @@ -355,6 +357,7 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) goto err_ret; epd = &ep->desc; + if (usb_endpoint_xfer_control(epd)) { if (dir == USBIP_DIR_OUT) return usb_sndctrlpipe(udev, epnum); @@ -377,6 +380,27 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) } if (usb_endpoint_xfer_isoc(epd)) { + /* validate packet size and number of packets */ + unsigned int maxp, packets, bytes; + +#define USB_EP_MAXP_MULT_SHIFT 11 +#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT) +#define USB_EP_MAXP_MULT(m) \ + (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT) + + maxp = usb_endpoint_maxp(epd); + maxp *= (USB_EP_MAXP_MULT( + __le16_to_cpu(epd->wMaxPacketSize)) + 1); + bytes = pdu->u.cmd_submit.transfer_buffer_length; + packets = DIV_ROUND_UP(bytes, maxp); + + if (pdu->u.cmd_submit.number_of_packets < 0 || + pdu->u.cmd_submit.number_of_packets > packets) { + dev_err(&sdev->udev->dev, + "CMD_SUBMIT: isoc invalid num packets %d\n", + pdu->u.cmd_submit.number_of_packets); + return -1; + } if (dir == USBIP_DIR_OUT) return usb_sndisocpipe(udev, epnum); else @@ -385,7 +409,7 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) err_ret: /* NOT REACHED */ - dev_err(&sdev->udev->dev, "get pipe() invalid epnum %d\n", epnum); + dev_err(&sdev->udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum); return -1; } @@ -450,7 +474,7 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, struct stub_priv *priv; struct usbip_device *ud = &sdev->ud; struct usb_device *udev = sdev->udev; - int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction); + int pipe = get_pipe(sdev, pdu); if (pipe == -1) return; -- 2.14.1