Received: by 10.223.185.116 with SMTP id b49csp1084538wrg; Fri, 23 Feb 2018 11:38:48 -0800 (PST) X-Google-Smtp-Source: AH8x226AqJl59TH1VjuyCiiIcfAXUFMb7tnbeSM9ycmobcx/CSw79xZXBuGoQ6ZZ1VzObu3cL2qr X-Received: by 2002:a17:902:901:: with SMTP id 1-v6mr2704605plm.404.1519414728867; Fri, 23 Feb 2018 11:38:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519414728; cv=none; d=google.com; s=arc-20160816; b=CsouMyNc8p+lCAe+X5F5LzCqmoNEXP3bQcFyhFveF3H6YS74RuScoxGJWrNacO10vO sLNF9FiEy1qijqxTlq2I7rcErZ+0bzVLB64W9d7ovJ8RcFj3HvCiRyWTvsIM/J/RIvGr zqpHy7FA14WEPgN0DwbD5uoDl9Acnl69HDze1xn7eixcXwU4IveyR/KK9Y6VeJtyEGNr f/ZvdOas5Pj+0AlbemKkIqelFFjNT+O5XJkc/5XvpneBfZrNFh1puXcxCb42tyaffzpO KYBDnigg0Ad1Yb1f6HLKwsusCyLAKf+HWQm0Uxz9wPJj7VEYALfvq6UdgqAKTKRyu1Pj qvTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=eNtW0hTmRBw98vzDVcop4QJA9RPx5p5NUxXukg3wX1M=; b=VWcnrhbHpd6UAt0TDlbMUxgUxDU1aGmhk2uQUaE8d9sOBpfV5Eq8lrk9m8mWsP0olb ONnloFX72q0sXM/9TlMFqtX2vFt9BgMOAQ34hcNlU3HF27CuhQxag8y0mVbGpA7/iTag t9MAB+k8nTZqYAggYwpiavOVFqhlSl3PMtQioCuqASz1DOY74vGUY3tSCrAMii6Imtmo WwKpwCJkQ2RnMaRHyMk5q9lBLQb+HrKYZqJAshFdpkOJCwZqPIAFnB+EWTPb42q/FA93 iVl9rAloG9K9LWzFHDpbioN4GYO+lb6GHTBwE/i7LlY2gKU/czn/0wIyN9wAn2tM9oQM GEww== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s19si2239797pfk.260.2018.02.23.11.38.10; Fri, 23 Feb 2018 11:38:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934712AbeBWSuW (ORCPT + 99 others); Fri, 23 Feb 2018 13:50:22 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:45596 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934458AbeBWSuT (ORCPT ); Fri, 23 Feb 2018 13:50:19 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id EB804120C; Fri, 23 Feb 2018 18:50:18 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrey Konovalov , Mauro Carvalho Chehab Subject: [PATCH 4.14 028/159] media: pvrusb2: properly check endpoint types Date: Fri, 23 Feb 2018 19:25:36 +0100 Message-Id: <20180223170746.619596635@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180223170743.086611315@linuxfoundation.org> References: <20180223170743.086611315@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Andrey Konovalov commit 72c27a68a2a3f650f0dc7891ee98f02283fc11af upstream. As syzkaller detected, pvrusb2 driver submits bulk urb withount checking the the endpoint type is actually blunk. Add a check. usb 1-1: BOGUS urb xfer, pipe 3 != type 1 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 2713 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0 Modules linked in: CPU: 1 PID: 2713 Comm: pvrusb2-context Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #210 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88006b7a18c0 task.stack: ffff880069978000 RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448 RSP: 0018:ffff88006997f990 EFLAGS: 00010286 RAX: 0000000000000029 RBX: ffff880063661900 RCX: 0000000000000000 RDX: 0000000000000029 RSI: ffffffff86876d60 RDI: ffffed000d32ff24 RBP: ffff88006997fa90 R08: 1ffff1000d32fdca R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000d32ff39 R13: 0000000000000001 R14: 0000000000000003 R15: ffff880068bbed68 FS: 0000000000000000(0000) GS:ffff88006c600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000001032000 CR3: 000000006a0ff000 CR4: 00000000000006f0 Call Trace: pvr2_send_request_ex+0xa57/0x1d80 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:3645 pvr2_hdw_check_firmware drivers/media/usb/pvrusb2/pvrusb2-hdw.c:1812 pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2107 pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2250 pvr2_hdw_initialize+0x548/0x3c10 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2327 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:118 pvr2_context_thread_func+0x361/0x8c0 drivers/media/usb/pvrusb2/pvrusb2-context.c:167 kthread+0x3a1/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 ee 82 89 fe 45 89 e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 40 c0 ea 86 e8 30 1b dc fc <0f> ff e9 9b f7 ff ff e8 aa 95 25 fd e9 80 f7 ff ff e8 50 74 f3 ---[ end trace 6919030503719da6 ]--- Signed-off-by: Andrey Konovalov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Mauro Carvalho Chehab --- drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c @@ -3642,6 +3642,12 @@ static int pvr2_send_request_ex(struct p hdw); hdw->ctl_write_urb->actual_length = 0; hdw->ctl_write_pend_flag = !0; + if (usb_urb_ep_type_check(hdw->ctl_write_urb)) { + pvr2_trace( + PVR2_TRACE_ERROR_LEGS, + "Invalid write control endpoint"); + return -EINVAL; + } status = usb_submit_urb(hdw->ctl_write_urb,GFP_KERNEL); if (status < 0) { pvr2_trace(PVR2_TRACE_ERROR_LEGS, @@ -3666,6 +3672,12 @@ status); hdw); hdw->ctl_read_urb->actual_length = 0; hdw->ctl_read_pend_flag = !0; + if (usb_urb_ep_type_check(hdw->ctl_read_urb)) { + pvr2_trace( + PVR2_TRACE_ERROR_LEGS, + "Invalid read control endpoint"); + return -EINVAL; + } status = usb_submit_urb(hdw->ctl_read_urb,GFP_KERNEL); if (status < 0) { pvr2_trace(PVR2_TRACE_ERROR_LEGS,