Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5532059yba; Mon, 13 May 2019 12:31:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqxlq/58RThOQzB4ZN3dlHKD8dv2Md2Nx2r/A1SFu3gqRIYFfKCrv6R1eIwI/okm2q1RlMCe X-Received: by 2002:a63:c50c:: with SMTP id f12mr33235906pgd.71.1557775897694; Mon, 13 May 2019 12:31:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557775897; cv=none; d=google.com; s=arc-20160816; b=EQcqxdHQJp+uhCFT8uZjKrdU0Jq5miX4meJh9r+/1+zeBlvvD1M+y98EMLzUUkuelN nEry5v/y4nyx4BvPIDq1ItP+Usf8vEAc+xormfsyW39Hd7UinnOk+wuhtIyhFHjnLOeD /Y/YrAFI29NwiMNmDP040brcZrk5iJawwaQVjQhxYVxEk4oc9mtph67GiaQ0lN21AVuv 5XH5pCbYKTCyJ+tBO41vL1ISyim3X7waU7SQfX7KTl8zz9qWbeq3Erfxu+xRa3AwNKwZ Ef500xjGzJ6FVXhBFoNuksz+Xu9TuZq3q3fhY7ReDgZNugTkz7T30cG5PviDCaSQ4f9I QbxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=eYZ3S9yDldpsM49cccFb1/Ib5l6iuyc7vo6ZCp2CUHA=; b=YVdXugHzUrhowVG6ZeNgOf35nHkYqB/zYFM2TBuEkn7Um2C2BS/lYiETWfErdIX+G1 9nGqeUzPcjGklv2xe77FhE5XArnK4cNQWq+5r4OT/BeHgmoal/7fi/bUnJZGXj/gxKB+ bC6JqfanGEz8PHnGIkalpPJimwP04n0PjJQlE+L18gauHevGtPYoJWR03umnlri6sOIf edEZ1Xe7FLX+Kf6TmCEQtdShA+dy6WP0z5yAm6wjWJB7JQF74pNbIfr3q8ArKmgZ8HWy smx4whPEYNaFaMe8D571Y4M2fuyoeNolZj3snFZqFKH9vrpj3k+k1CtiHdb1POXNPKkc tTyw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a10si18309462pfc.55.2019.05.13.12.31.21; Mon, 13 May 2019 12:31:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731302AbfEMROb (ORCPT + 99 others); Mon, 13 May 2019 13:14:31 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:54000 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1730043AbfEMROb (ORCPT ); Mon, 13 May 2019 13:14:31 -0400 Received: (qmail 5524 invoked by uid 2102); 13 May 2019 13:14:29 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 May 2019 13:14:29 -0400 Date: Mon, 13 May 2019 13:14:29 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Greg KH cc: andreyknvl@google.com, , Kernel development list , USB list , , Subject: [PATCH] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor In-Reply-To: <00000000000061c7cd0588c6933c@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the USB core, caused by a failure to check the actual size of a BOS descriptor. This patch adds a check to make sure the descriptor is at least as large as it is supposed to be, so that the code doesn't inadvertently access memory beyond the end of the allocated region when assigning to dev->bos->desc->bNumDeviceCaps later on. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com CC: --- [as1898] drivers/usb/core/config.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: usb-devel/drivers/usb/core/config.c =================================================================== --- usb-devel.orig/drivers/usb/core/config.c +++ usb-devel/drivers/usb/core/config.c @@ -932,8 +932,8 @@ int usb_get_bos_descriptor(struct usb_de /* Get BOS descriptor */ ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE); - if (ret < USB_DT_BOS_SIZE) { - dev_err(ddev, "unable to get BOS descriptor\n"); + if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) { + dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n"); if (ret >= 0) ret = -ENOMSG; kfree(bos);