Received: by 10.223.185.116 with SMTP id b49csp6384431wrg; Wed, 28 Feb 2018 08:31:49 -0800 (PST) X-Google-Smtp-Source: AH8x226n7XQe14djvJBSpHqr1e06Sl8/0C0ZgVnMYpzFLL07emJcgIofzjdrSuLcIPyXUrm2F/iZ X-Received: by 10.98.33.4 with SMTP id h4mr18128269pfh.144.1519835508899; Wed, 28 Feb 2018 08:31:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519835508; cv=none; d=google.com; s=arc-20160816; b=gjwO3u7hz4B7tMzcFprjnu0pjj2Icxk7AlG8fXHskSC+awYe5wvvYlW67MjE5sT/wR 2VMOvXBI0R6Ov0AZPgtzAzNJ1zvrfKRFRXoQBtgemn2D+KXbZJ4/NKhlcToyn0NQlCaA wOOMZoUfb8SppCMRXmjME0lr1DqYQUMB7nByJvdpAEubrYdV+NN5xGLe6iGttDSYNs0z 09VMrx/7doRTS+V5SobgvRNSGJjBqznUHFnepuKJnALDxO+UoZFhMBJJWVk3py8jiaFY lxszpVO7HGzEoQs261yCeKf5NElWaFht0YNiQWETXuAoaU2MdagOb7HsCZqZI4Rgg60b GB9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=7KdVpCUxUntg/OwXRBuZWCkvsjlb+m9Hty6JQ5IyEic=; b=Gp3A0YMQRvue3hOS9Q994/HapZL3tQqXgM5WK9ydWHaO7SlYjL+BL6TVzjyt/o8C10 VUOqeSBfvEjYirK44+x8bpRodC745fBVz7yrWWHYtfn+PNGZM/WRE+TJwf1yWmg3bxPK 81adhnsvHWeUwJefZPU95+LJlUnOswaDppJWtxhlFmYuwRBZo9xYBUBOhtFPdvPJiXoR 5IrCFZPauHN9fkPz4HOegzPMozfMJD3vcrjXB9kYrwsJi36w9ZddsBumYLUFt/pJ9s0I t90pHYEhZCetA2nhFnuy4hTqAs0W+Xzg0nlV7KzRjNZJpDbAtZ63vnu70xzZxMi5tdMo Wbew== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i6si1203831pgq.471.2018.02.28.08.31.34; Wed, 28 Feb 2018 08:31:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934805AbeB1QPU (ORCPT + 99 others); Wed, 28 Feb 2018 11:15:20 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35169 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934530AbeB1QPS (ORCPT ); Wed, 28 Feb 2018 11:15:18 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yv-0006kw-3x; Wed, 28 Feb 2018 15:22:33 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yd-0008Nx-HT; Wed, 28 Feb 2018 15:22:15 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Masakazu Mokuno" , "Greg Kroah-Hartman" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 023/254] USB: core: Add type-specific length check of BOS descriptors In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Masakazu Mokuno commit 81cf4a45360f70528f1f64ba018d61cb5767249a upstream. As most of BOS descriptors are longer in length than their header 'struct usb_dev_cap_header', comparing solely with it is not sufficient to avoid out-of-bounds access to BOS descriptors. This patch adds descriptor type specific length check in usb_get_bos_descriptor() to fix the issue. Signed-off-by: Masakazu Mokuno Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: drop handling of USB_PTM_CAP_TYPE and USB_SSP_CAP_TYPE] Signed-off-by: Ben Hutchings --- --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -871,6 +871,13 @@ void usb_release_bos_descriptor(struct u } } +static const __u8 bos_desc_len[256] = { + [USB_CAP_TYPE_WIRELESS_USB] = USB_DT_USB_WIRELESS_CAP_SIZE, + [USB_CAP_TYPE_EXT] = USB_DT_USB_EXT_CAP_SIZE, + [USB_SS_CAP_TYPE] = USB_DT_USB_SS_CAP_SIZE, + [CONTAINER_ID_TYPE] = USB_DT_USB_SS_CONTN_ID_SIZE, +}; + /* Get BOS descriptor set */ int usb_get_bos_descriptor(struct usb_device *dev) { @@ -879,6 +886,7 @@ int usb_get_bos_descriptor(struct usb_de struct usb_dev_cap_header *cap; unsigned char *buffer; int length, total_len, num, i; + __u8 cap_type; int ret; bos = kzalloc(sizeof(struct usb_bos_descriptor), GFP_KERNEL); @@ -931,7 +939,13 @@ int usb_get_bos_descriptor(struct usb_de dev->bos->desc->bNumDeviceCaps = i; break; } + cap_type = cap->bDevCapabilityType; length = cap->bLength; + if (bos_desc_len[cap_type] && length < bos_desc_len[cap_type]) { + dev->bos->desc->bNumDeviceCaps = i; + break; + } + total_len -= length; if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { @@ -939,7 +953,7 @@ int usb_get_bos_descriptor(struct usb_de continue; } - switch (cap->bDevCapabilityType) { + switch (cap_type) { case USB_CAP_TYPE_WIRELESS_USB: /* Wireless USB cap descriptor is handled by wusb */ break; --- a/include/uapi/linux/usb/ch9.h +++ b/include/uapi/linux/usb/ch9.h @@ -819,6 +819,8 @@ struct usb_wireless_cap_descriptor { /* __u8 bReserved; } __attribute__((packed)); +#define USB_DT_USB_WIRELESS_CAP_SIZE 11 + /* USB 2.0 Extension descriptor */ #define USB_CAP_TYPE_EXT 2