Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3021797imu; Sun, 9 Dec 2018 15:19:53 -0800 (PST) X-Google-Smtp-Source: AFSGD/Wk+/47YsVmvYbd+JIh0jZQhdiASfFGCBAvkOLeHyRYlrSDiX2/53Hj6VTge2VEJFFHIuDv X-Received: by 2002:a17:902:9b93:: with SMTP id y19mr10129949plp.336.1544397593680; Sun, 09 Dec 2018 15:19:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544397593; cv=none; d=google.com; s=arc-20160816; b=N9iYhurjxWwdnZ+rhr5qsAThgEaaBhwBA71g4aEtpIxzaJrJwNnF2Yh3fgkJ/ja2GE W8M3gNHaTVRZYhdbqcQwaCF4EHdkDu6TFa1W/HSlJY97yPMM+ReQsrrYP6PoMP4EyrER BkV2Jqw8waPFcVaxZP1t26vBrVrD8paBUdPmMycFhGUeSghPs2RRILxSMFczNnUw1QHA RfjPw4f2JhfB8Ty+uVzHc5OwDW3mASlmy/Ykg4sUlagvYxK0ry4SJhNEii2S3pzpEosf S33W+4O4wuoVdLeuOj5nv8YxcwFfNjE1qYiUDLu3XUyxBJ1WMqmKMAX6M7QScqT6FNtS iCHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=V5VEfyF/Un9j0lLJSxowNlbc5XVGORMKdiRCb1W3XiM=; b=JBaQM3bHoOia74d8jCIJ8Yq5uYSZsJ+huqM/552IqfJ605HDZUM13aP95qK/C2Rtou XGr72y92A36GUk8Nqpm8wfO9ulUP3Z7zJLS9sQ8Y05unEsZdoZ8v9Sk8Lx/KaiKsUzt5 cvHYNrs57ii9QrnZt+b8uEZ3Ec3RklBZsh3FSpzcWjLNtg70vC4VfO58N1ovcGwienw/ I5kZXs7mEv4J5VhlEwvoM8CpucnWGeBhK0MQz//OZXRhuygzI5XQ/OBAjoHgmH76eDEV tEoebw4gjOHQzpeBJTb6m45xB57PSk+87u2mT0NJ/vgbaTLrHdTXfyoqtpd8x2GLtx+h I10w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g19si8071576pgj.358.2018.12.09.15.19.37; Sun, 09 Dec 2018 15:19:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728082AbeLIWVC (ORCPT + 99 others); Sun, 9 Dec 2018 17:21:02 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35390 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726544AbeLIVzY (ORCPT ); Sun, 9 Dec 2018 16:55:24 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW72n-0002ia-Vd; Sun, 09 Dec 2018 21:55:22 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72l-0003gd-9w; Sun, 09 Dec 2018 21:55:19 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Oliver Neukum" , "Alan Stern" , "Greg Kroah-Hartman" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 312/328] USB: fix the usbfs flag sanitization for control transfers In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Alan Stern commit 665c365a77fbfeabe52694aedf3446d5f2f1ce42 upstream. Commit 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more") checks the transfer flags for URBs submitted from userspace via usbfs. However, the check for whether the USBDEVFS_URB_SHORT_NOT_OK flag should be allowed for a control transfer was added in the wrong place, before the code has properly determined the direction of the control transfer. (Control transfers are special because for them, the direction is set by the bRequestType byte of the Setup packet rather than direction bit of the endpoint address.) This patch moves code which sets up the allow_short flag for control transfers down after is_in has been set to the correct value. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com Fixes: 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more") CC: Oliver Neukum Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/core/devio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1329,8 +1329,6 @@ static int proc_do_submiturb(struct usb_ u = 0; switch(uurb->type) { case USBDEVFS_URB_TYPE_CONTROL: - if (is_in) - allow_short = true; if (!usb_endpoint_xfer_control(&ep->desc)) return -EINVAL; /* min 8 byte setup packet */ @@ -1360,6 +1358,8 @@ static int proc_do_submiturb(struct usb_ is_in = 0; uurb->endpoint &= ~USB_DIR_IN; } + if (is_in) + allow_short = true; snoop(&ps->dev->dev, "control urb: bRequestType=%02x " "bRequest=%02x wValue=%04x " "wIndex=%04x wLength=%04x\n",