Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp6400635yba; Thu, 11 Apr 2019 19:39:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqzZBDgOvA5YBmYYXV7gspoM2VNjVQ3OI0Y8LoCocvUAg3+jDL2Yd+tUrUCByNW9imK4F9GQ X-Received: by 2002:a17:902:f094:: with SMTP id go20mr54031703plb.159.1555036775318; Thu, 11 Apr 2019 19:39:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555036775; cv=none; d=google.com; s=arc-20160816; b=RzqwdTunaJaipKgA8d1jrCi5u3faG9pvUt0ek/cK2b32vs21MwQM8aE1ZAm/KkaBBL RDees5iY38dVyhKlIX+q/PZAfD45UQ40tm9kjT476llhY87wh4aTl6MLoRW8MTdsxrXD fqLXSYNduEiqrC4IepaByxZD5lRas8U61kEZjCXJGr4yg+SgRytIbWNx9DeQ5m0nu43n Rka8dAoPv1jT1ZSJNOdu96MatH+sQAZduDkGW9Iw/idbU8jcEyYQra3Mot8RzEwRWMBp sYmSPlTQTsb6KE5V86NWkr5hC6+Z1D6IqONTEcaKnoJY2mKvH96YYjRoueapcyT8E8y1 Q1bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=CQGnbsTa28+WGFD7YKQq2M+/zSOCMfXAFFRYUWY4qaQ=; b=QmdpTgsIkYGhN0zY8BvcoYf2gN/hxDORympXiHTRaJor7ITnvxUlAS5Wz98e8R1Ejb qfBCBJ7KIv09VsVvA8IhNwgsW1vBZn3iFcu5hyOzIyn/sgyskDa9IKOi/6JJkaRGuxy1 RpcZAgMAG73+7QhbZQXoxdv2LGPw5lgoVcC0XfhmjvgO09/GLwuJItmzGhs15jivO6y3 iNhOO/MlCRPc1rrEL0Xj1ZXrqGiW/bW3YE4SuSuLr9GcbXOBT7hhLyZYMeEKorY6+oVt 2xiVmcvYze43DmJdChHswyMt/Llg8WeMs9b/aCdMcgLmZHvHjloYl3d5iPUH7FMrBRxV HGMA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XAfIt2AT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 123si22966478pgg.104.2019.04.11.19.39.19; Thu, 11 Apr 2019 19:39:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XAfIt2AT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726735AbfDLCio (ORCPT + 99 others); Thu, 11 Apr 2019 22:38:44 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:34017 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726678AbfDLCio (ORCPT ); Thu, 11 Apr 2019 22:38:44 -0400 Received: by mail-pf1-f193.google.com with SMTP id b3so4386345pfd.1; Thu, 11 Apr 2019 19:38:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=CQGnbsTa28+WGFD7YKQq2M+/zSOCMfXAFFRYUWY4qaQ=; b=XAfIt2ATg2jjY/NK78ehja6q449PeKIJ6sWoNoC9PBCJcrRWE1xjDNYoz/K+B3YK6T 5Psb6pfoxL3SIL/PClV4uyXHohYYpwbPEnIm72iEQOjGhXhkn+ds+8nit6PRHtx/aIld MAJTv4G05VxTi9GfrZoVM6hQGgEtnPmvO/5qSEvMcEqjHhJcjMBx3S+WV3N/8dL0X8EE rS2FkMt5l62t9C5bxxoTN92Y4nPsL6f7Q//aG4qTCwRd5y8rg3luaS9vHYBlICnl5R6U GzDUZj9aSwIOOqCGbAEmNWnhBBuTx9OpxAv9DkmhdhgS83qkRP5AuO/jQgGn4B1zvl6R z6tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=CQGnbsTa28+WGFD7YKQq2M+/zSOCMfXAFFRYUWY4qaQ=; b=HIF2Dk3S3keiuuvXYYsf4Hnhyjn5rs26Af0lQcv/sI6j7n10zcp9lGtogoqnptU/G2 oysomkN8C7c1Woecs491CI5LegcJGkMJ7eiIuqzLoZu3EHLI+Hj8a5+HEirBpQJe/sa6 +rNl0jQqacNXm4pIgKdUT3u9ETQaGhBrY2fBjxrGev/CuOM72ek87eyKq7j7joUPCJ+5 opTfd3nJyxt7OZdQ1AH3Wflc65ZF25ZtAtaPMyH1gvbuLvAMTy5RrXxASu3CQHmkrKZp t08qrcbI9GFyMXjABVrEnUmM+3Rrp99U2ncNAtmJP0RiYR3YEWPOwOMUtO1LlFn7rLyN PaSg== X-Gm-Message-State: APjAAAWrWsWI5CKyj1W1FgNWmMLst2EJRh5kbrUHREFHGHu8/I8Lkljq eQeGlQgY6iIH3xowVKpfmgxZYCVCt4akDw== X-Received: by 2002:a63:494f:: with SMTP id y15mr51222380pgk.56.1555036723907; Thu, 11 Apr 2019 19:38:43 -0700 (PDT) Received: from xy-data.openstacklocal (ecs-159-138-22-150.compute.hwclouds-dns.com. [159.138.22.150]) by smtp.gmail.com with ESMTPSA id g4sm68627075pfm.115.2019.04.11.19.38.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 11 Apr 2019 19:38:43 -0700 (PDT) From: Young Xiao <92siuyang@gmail.com> To: kbuild-all@01.org, linux-usb@vger.kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, greg@kroah.com, mchehab@kernel.org Cc: keescook@chromium.org, hans.verkuil@cisco.com, Young Xiao Subject: [PATCH] USB: s2255 & stkwebcam: fix oops with malicious USB descriptors Date: Fri, 12 Apr 2019 10:39:27 +0800 Message-Id: <1555036767-31170-1-git-send-email-92siuyang@gmail.com> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Young Xiao The driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it. This vulnerability is same as CVE-2016-2188. Signed-off-by: Young Xiao --- drivers/media/usb/s2255/s2255drv.c | 7 +++++++ drivers/media/usb/stkwebcam/stk-webcam.c | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c index 5b3e54b..82dd661 100644 --- a/drivers/media/usb/s2255/s2255drv.c +++ b/drivers/media/usb/s2255/s2255drv.c @@ -2263,6 +2263,13 @@ static int s2255_probe(struct usb_interface *interface, iface_desc = interface->cur_altsetting; dev_dbg(&interface->dev, "num EP: %d\n", iface_desc->desc.bNumEndpoints); + + if (iface_desc->desc.bNumEndpoints < 1) { + dev_err(&interface->dev, "Invalid number of endpoints\n"); + retval = -EINVAL; + goto errorEP; + } + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc; if (!dev->read_endpoint && usb_endpoint_is_bulk_in(endpoint)) { diff --git a/drivers/media/usb/stkwebcam/stk-webcam.c b/drivers/media/usb/stkwebcam/stk-webcam.c index 8f54586..e427c3d 100644 --- a/drivers/media/usb/stkwebcam/stk-webcam.c +++ b/drivers/media/usb/stkwebcam/stk-webcam.c @@ -1350,6 +1350,12 @@ static int stk_camera_probe(struct usb_interface *interface, * for the current alternate setting */ iface_desc = interface->cur_altsetting; + if (iface_desc->desc.bNumEndpoints < 1) { + dev_err(&interface->dev, "Invalid number of endpoints\n"); + err = -EINVAL; + goto error; + } + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc; -- 1.9.1