Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp432005yba; Wed, 15 May 2019 04:01:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqxSjlCoQousPFGqnXw+fDhOxFeqJ/9ocsHkF48Y+veBeW7WcVP/Ovj0Yi5H3v/LmG5YImhC X-Received: by 2002:a17:902:a407:: with SMTP id p7mr8763400plq.41.1557918101755; Wed, 15 May 2019 04:01:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557918101; cv=none; d=google.com; s=arc-20160816; b=U5GhkxZ/ARymxHzIeHvJven9ybJ7f5GejAeuze6ug4EBXaBWXeJc6moUn1E+wJRYYl uTY4tE4Iica+IYjsyoN6xBC21l1nCmotgSFattoIGxyD1Zt3bhVdL6bl2XkF5OsUJpVX ZT6TgaGK836tIqLay3R9O7u8nh+KwGzV6hD5RPvsDG4HOUwaUX62t39VwWiiZcJzXhS+ NZ6XH2xnfFuNoR8qcVBVv60JQ3urGPrEgyXJzBfhDdJ9a1GNHZIc2kcjbchSNbYmJTIP hRaXDrKzKDE9dChOKnzqmxTIlm5IGGkQsQMtJNhqh7iHacm7Abh2ZfKKANxnIhMz6sIT +ngQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8lddCofLR2dYCZsewVXUAKs2aV1OHK4TX6kLbrui+As=; b=E0urSXiTpyi2NZldKmOxbzgQxwoFcjIZDElFV5Bo1Je0zxWXPgqCF70EE3jmvrmaEK lsOjjwbGpX0r0bDAlEibrDwTDsjmfbYgCZkX834wPzsZIjNrMq5g7tMxsqzBZsPU7ZSW xv8Y4UidzCo33H2oKarperGrXaj/cM8iV3iCB5yWOt4Ed61P+LbEwJbxypiOB58gfCjO u9mgQ1XgBMN1gbh5fz2eMdkN5RFGDl0Swd97TnWlZPI2DfMbLN8AXVdVWpF2sacwsxi3 TKgg6g1kKAtPMBBTIjWRy7KeoBNuetIMXaGd+A+tr7ykUTbenkVp4VK+6uicz9yRugPp 5m7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vGb+2Y8f; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y123si1970077pfy.63.2019.05.15.04.01.25; Wed, 15 May 2019 04:01:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vGb+2Y8f; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727234AbfEOK7o (ORCPT + 99 others); Wed, 15 May 2019 06:59:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:56324 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727211AbfEOK7m (ORCPT ); Wed, 15 May 2019 06:59:42 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 509D62084F; Wed, 15 May 2019 10:59:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557917980; bh=zp/pjqVFKTS9jJ/Fm/cq3epSqHl61U+l1eUdEbrI+/0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vGb+2Y8f61uoGzU8crkWkFUtRPP9scUrAqEneL8LMLfLuhgbSpK0GKWT1rc28Da4X C3Ee29K6QLn1Ef0oqnfXd1DWqy/0SaTdnzwNt4bui3cLHWsSUGw+OfAceFaRTXSGv/ qxew68mGZyOAireXXpo0uzQl2hALXqAmvS7P1LEg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Malte Leip , Sasha Levin Subject: [PATCH 3.18 47/86] usb: usbip: fix isoc packet num validation in get_pipe Date: Wed, 15 May 2019 12:55:24 +0200 Message-Id: <20190515090651.606964470@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090642.339346723@linuxfoundation.org> References: <20190515090642.339346723@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org commit c409ca3be3c6ff3a1eeb303b191184e80d412862 upstream. Backport of the upstream commit, which fixed c6688ef9f297. c6688ef9f297 got backported as commit eebf31529012, as the unavailable function usb_endpoint_maxp_mult had to be replaced. The upstream commit removed the call to this function, so the backport is straightforward. Original commit message: Change the validation of number_of_packets in get_pipe to compare the number of packets to a fixed maximum number of packets allowed, set to be 1024. This number was chosen due to it being used by other drivers as well, for example drivers/usb/host/uhci-q.c Background/reason: The get_pipe function in stub_rx.c validates the number of packets in isochronous mode and aborts with an error if that number is too large, in order to prevent malicious input from possibly triggering large memory allocations. This was previously done by checking whether pdu->u.cmd_submit.number_of_packets is bigger than the number of packets that would be needed for pdu->u.cmd_submit.transfer_buffer_length bytes if all except possibly the last packet had maximum length, given by usb_endpoint_maxp(epd) * usb_endpoint_maxp_mult(epd). This leads to an error if URBs with packets shorter than the maximum possible length are submitted, which is allowed according to Documentation/driver-api/usb/URB.rst and occurs for example with the snd-usb-audio driver. Fixes: eebf31529012 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") Signed-off-by: Malte Leip Cc: stable # 3.18.x Signed-off-by: Sasha Levin --- drivers/usb/usbip/stub_rx.c | 18 +++--------------- drivers/usb/usbip/usbip_common.h | 7 +++++++ 2 files changed, 10 insertions(+), 15 deletions(-) diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c index 56cacb68040c..808e3a317954 100644 --- a/drivers/usb/usbip/stub_rx.c +++ b/drivers/usb/usbip/stub_rx.c @@ -380,22 +380,10 @@ static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) } if (usb_endpoint_xfer_isoc(epd)) { - /* validate packet size and number of packets */ - unsigned int maxp, packets, bytes; - -#define USB_EP_MAXP_MULT_SHIFT 11 -#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT) -#define USB_EP_MAXP_MULT(m) \ - (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT) - - maxp = usb_endpoint_maxp(epd); - maxp *= (USB_EP_MAXP_MULT( - __le16_to_cpu(epd->wMaxPacketSize)) + 1); - bytes = pdu->u.cmd_submit.transfer_buffer_length; - packets = DIV_ROUND_UP(bytes, maxp); - + /* validate number of packets */ if (pdu->u.cmd_submit.number_of_packets < 0 || - pdu->u.cmd_submit.number_of_packets > packets) { + pdu->u.cmd_submit.number_of_packets > + USBIP_MAX_ISO_PACKETS) { dev_err(&sdev->udev->dev, "CMD_SUBMIT: isoc invalid num packets %d\n", pdu->u.cmd_submit.number_of_packets); diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h index 0fc5ace57c0e..af903aa4ad90 100644 --- a/drivers/usb/usbip/usbip_common.h +++ b/drivers/usb/usbip/usbip_common.h @@ -134,6 +134,13 @@ extern struct device_attribute dev_attr_usbip_debug; #define USBIP_DIR_OUT 0x00 #define USBIP_DIR_IN 0x01 +/* + * Arbitrary limit for the maximum number of isochronous packets in an URB, + * compare for example the uhci_submit_isochronous function in + * drivers/usb/host/uhci-q.c + */ +#define USBIP_MAX_ISO_PACKETS 1024 + /** * struct usbip_header_basic - data pertinent to every request * @command: the usbip request type -- 2.20.1