Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1361441imm; Tue, 2 Oct 2018 07:06:05 -0700 (PDT) X-Google-Smtp-Source: ACcGV62Piia6bxIhHLFNBeUM3EXxQVDkGombffwq2ZgUtFHAxLMOjpxJMKDJ+4sOXy2bKW1rtKGm X-Received: by 2002:a17:902:b213:: with SMTP id t19-v6mr17207227plr.51.1538489165662; Tue, 02 Oct 2018 07:06:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538489165; cv=none; d=google.com; s=arc-20160816; b=DDqaufjYCjCQ6yajCWWH3DAg6Fgf+TPncFmJfOxMYhtp5feaTy0reAv0J8d53NDKY8 oX/zUs74r6+b7+5jf4dZodLK+ADkGBNrCUzN5IHSKXOCNZ5TRZXsRDJyh60Gcuu88VOy cldA/cjImj0PP8u6nl52Qyqo/jTmzq+UsNBsRXrel+XU4jZ+5f7QsaJE65hOF6FDJ5BH rDi7UhOT8y7NlIVss1yrv5/zsB5nOkiJtlK/a4kNZ70sKj7x8avzIolpUBZNrZDC0Cv6 4JY68Y+pEEOt6b8GamcXE3o39HPjcRTfAzi1OGBxsA38igCiX59bPsekg1BxL4vgblYb XHcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=EyvbuaoFOvxOKBgFeaQUeSmbhbz/ICm+crG6d/loLXQ=; b=Lxl4qyeNr3WLKw4qhuBlIn8FSNSEvAq16rxdwjdFTqd86YKOQXZERgn55MRd/43JDC Ss9r+Uq640PAmS0gJqPBsgmXJ9iFlPIMRH+oZZX/zylagYht6CpzrfTkmZbH7i05LOqy lJhXoU8enT1+Oyc1w28MmFZ7H1vgTBh9ZBBk8cXoZcWo1BdK+YaqAzE5sgkt10n9jVfV eHXqhOjbic0c9Y/GuzaavurHKPFMgHCBvrRDY0qzMgFhoN2Ojp1/4ToubQL3w31wXCq3 nw3hyDRTYX72qTxhfww2ov3iktGGhSjgp3ldE2ySqdYFUUW1Z2xJfIqZVHBJtWp/fwCR 3Dew== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u2-v6si4685498pgg.355.2018.10.02.07.05.50; Tue, 02 Oct 2018 07:06:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730440AbeJBUrJ (ORCPT + 99 others); Tue, 2 Oct 2018 16:47:09 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33168 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728627AbeJBUM5 (ORCPT ); Tue, 2 Oct 2018 16:12:57 -0400 Received: from localhost (24-104-73-23-ip-static.hfc.comcastbusiness.net [24.104.73.23]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 211A7B2F; Tue, 2 Oct 2018 13:29:35 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oliver Neukum , syzbot+843efa30c8821bd69f53@syzkaller.appspotmail.com Subject: [PATCH 4.18 153/228] USB: usbdevfs: sanitize flags more Date: Tue, 2 Oct 2018 06:24:10 -0700 Message-Id: <20181002132509.398389454@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181002132459.032960735@linuxfoundation.org> References: <20181002132459.032960735@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Oliver Neukum commit 7a68d9fb851012829c29e770621905529bd9490b upstream. Requesting a ZERO_PACKET or not is sensible only for output. In the input direction the device decides. Likewise accepting short packets makes sense only for input. This allows operation with panic_on_warn without opening up a local DOS. Signed-off-by: Oliver Neukum Reported-by: syzbot+843efa30c8821bd69f53@syzkaller.appspotmail.com Fixes: 0cb54a3e47cb ("USB: debugging code shouldn't alter control flow") Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/devio.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1433,10 +1433,13 @@ static int proc_do_submiturb(struct usb_ struct async *as = NULL; struct usb_ctrlrequest *dr = NULL; unsigned int u, totlen, isofrmlen; - int i, ret, is_in, num_sgs = 0, ifnum = -1; + int i, ret, num_sgs = 0, ifnum = -1; int number_of_packets = 0; unsigned int stream_id = 0; void *buf; + bool is_in; + bool allow_short = false; + bool allow_zero = false; unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | USBDEVFS_URB_BULK_CONTINUATION | USBDEVFS_URB_NO_FSBR | @@ -1470,6 +1473,8 @@ static int proc_do_submiturb(struct usb_ u = 0; switch (uurb->type) { case USBDEVFS_URB_TYPE_CONTROL: + if (is_in) + allow_short = true; if (!usb_endpoint_xfer_control(&ep->desc)) return -EINVAL; /* min 8 byte setup packet */ @@ -1510,6 +1515,10 @@ static int proc_do_submiturb(struct usb_ break; case USBDEVFS_URB_TYPE_BULK: + if (!is_in) + allow_zero = true; + else + allow_short = true; switch (usb_endpoint_type(&ep->desc)) { case USB_ENDPOINT_XFER_CONTROL: case USB_ENDPOINT_XFER_ISOC: @@ -1530,6 +1539,10 @@ static int proc_do_submiturb(struct usb_ if (!usb_endpoint_xfer_int(&ep->desc)) return -EINVAL; interrupt_urb: + if (!is_in) + allow_zero = true; + else + allow_short = true; break; case USBDEVFS_URB_TYPE_ISO: @@ -1675,9 +1688,9 @@ static int proc_do_submiturb(struct usb_ u = (is_in ? URB_DIR_IN : URB_DIR_OUT); if (uurb->flags & USBDEVFS_URB_ISO_ASAP) u |= URB_ISO_ASAP; - if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK && is_in) + if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK) u |= URB_SHORT_NOT_OK; - if (uurb->flags & USBDEVFS_URB_ZERO_PACKET) + if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET) u |= URB_ZERO_PACKET; if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT) u |= URB_NO_INTERRUPT;