Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3957046yba; Tue, 7 May 2019 09:40:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqxjTfEGF57azkTgn6fT53YyMRGFQeVxrO2EddgnyPLCUK7RuPQJukjp6wOI9E9n/0nB8Lx3 X-Received: by 2002:aa7:8dc3:: with SMTP id j3mr42005540pfr.141.1557247256214; Tue, 07 May 2019 09:40:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557247256; cv=none; d=google.com; s=arc-20160816; b=CJM2cLQSE47bxxjlaa9aK0XxNowaU4M2im5fw7GRvVlTFzBV/oHemsISx/ibrxTJhh mELrYTnUmFkP/dXcWHwtnc4ynvggl2gg+bv0HX8MOnxzTRvyXDIh91djKq5Hu1ZpjAt5 a9qB+UBoVxxdQwjgge2OzPWX617OwdLyp9MvP12qN0ImRdaGTBHhNZITaYRyZA+s/TLk t5gbhPUQtNd+VT6LRFMs+b1+21IToIprRxq2BbTdxZJmQ49UOe1Jsmqsi+JFoub2mWwe anfuYDSrTHsWMSEbCT4UZY8ResV2jJ2LvqEe1DnP+qC7Jh5tYG4I1XKrt540+E/K/QJ4 /zKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=KnJ+sUMNZNINArQNlg4Y3LT4zKUrY1hKJ7IY3j5N9/c=; b=dDGMCFqwrCiO3teyCOiR8lHCILERFGO5S8NmAjAEyrsudkxlUplKj0cFTA2ABC4EI6 T1q0tmA99HC14SaDgkKUq80CSHvXbZjtm9bdadhWTqS6eG73zxit+obcMq6WJ+GP0UNq XUalGIJiujpdlTIsjx0qQGc7zeDHjJkqzXYecy1AAP7SKsoGy6hQsbn1w+ElZDXL5MVa CHfh6cHzaB75oFTlX07YQYaJFJIetO3CgK4MlpPXfl3eCF/SEbssDo4UB57cj0iusWOQ fWe1yLLhRbgUvZvfPovwPghfFukFa6tyb4GFD5i1nn28VaX/360OWJprxMi2E1Fs78O6 QxAQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o32si21326539pld.190.2019.05.07.09.40.40; Tue, 07 May 2019 09:40:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726939AbfEGQjt (ORCPT + 99 others); Tue, 7 May 2019 12:39:49 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:52364 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726494AbfEGQjs (ORCPT ); Tue, 7 May 2019 12:39:48 -0400 Received: (qmail 5705 invoked by uid 2102); 7 May 2019 12:39:47 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 May 2019 12:39:47 -0400 Date: Tue, 7 May 2019 12:39:47 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: mchehab@kernel.org cc: andreyknvl@google.com, Kernel development list , , USB list , , Subject: [PATCH] media: usb: siano: Fix general protection fault in smsusb In-Reply-To: <0000000000004a08f805883ead54@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The syzkaller USB fuzzer found a general-protection-fault bug in the smsusb part of the Siano DVB driver. The fault occurs during probe because the driver assumes without checking that the device has both IN and OUT endpoints and the IN endpoint is ep1. By slightly rearranging the driver's initialization code, we can make the appropriate checks early on and thus avoid the problem. If the expected endpoints aren't present, the new code safely returns -ENODEV from the probe routine. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com CC: --- [as1897] drivers/media/usb/siano/smsusb.c | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) Index: usb-devel/drivers/media/usb/siano/smsusb.c =================================================================== --- usb-devel.orig/drivers/media/usb/siano/smsusb.c +++ usb-devel/drivers/media/usb/siano/smsusb.c @@ -400,6 +400,7 @@ static int smsusb_init_device(struct usb struct smsusb_device_t *dev; void *mdev; int i, rc; + int in_maxp; /* create device object */ dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL); @@ -411,6 +412,24 @@ static int smsusb_init_device(struct usb dev->udev = interface_to_usbdev(intf); dev->state = SMSUSB_DISCONNECTED; + for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { + struct usb_endpoint_descriptor *desc = + &intf->cur_altsetting->endpoint[i].desc; + + if (desc->bEndpointAddress & USB_DIR_IN) { + dev->in_ep = desc->bEndpointAddress; + in_maxp = usb_endpoint_maxp(desc); + } else { + dev->out_ep = desc->bEndpointAddress; + } + } + + pr_debug("in_ep = %02x, out_ep = %02x\n", dev->in_ep, dev->out_ep); + if (!dev->in_ep || !dev->out_ep) { /* Missing endpoints? */ + smsusb_term_device(intf); + return -ENODEV; + } + params.device_type = sms_get_board(board_id)->type; switch (params.device_type) { @@ -425,24 +444,12 @@ static int smsusb_init_device(struct usb /* fall-thru */ default: dev->buffer_size = USB2_BUFFER_SIZE; - dev->response_alignment = - le16_to_cpu(dev->udev->ep_in[1]->desc.wMaxPacketSize) - - sizeof(struct sms_msg_hdr); + dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr); params.flags |= SMS_DEVICE_FAMILY2; break; } - for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { - if (intf->cur_altsetting->endpoint[i].desc. bEndpointAddress & USB_DIR_IN) - dev->in_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress; - else - dev->out_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress; - } - - pr_debug("in_ep = %02x, out_ep = %02x\n", - dev->in_ep, dev->out_ep); - params.device = &dev->udev->dev; params.usb_device = dev->udev; params.buffer_size = dev->buffer_size;