Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp330113ybi; Fri, 7 Jun 2019 08:44:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqwcajc5kXm4cZA2J+WgZLYSKeBQyBzo3dWfaozpDlD8SxOA7HlZZsPwVx4j1UL5CsaY2qgC X-Received: by 2002:a17:902:8648:: with SMTP id y8mr58033576plt.30.1559922266046; Fri, 07 Jun 2019 08:44:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559922266; cv=none; d=google.com; s=arc-20160816; b=0ovDDELDpjLOhXI+RG2Eywv6hu3NLL/C0RDJRL5T/XRYw8R17KABxeFoN9gXngjG+f 7w5A4zoFODJ3kOkHszm/ao/65thtsEe53Bt4IRqGyDYy9y+M7dNS1RiqGXwO7Aa0eRVO 1OZoWxaRs0xG7st9dgxSvrIeapodnmq/X3G42v/sZ83X6B5eoLCIdVidrqI8yEgXv3C+ TPXCaqE8erGbSCInWlNzSdWUcKuKEQDckVhi9nYL37ZMLJ7E/+zPoOAnWlevulPWMzaF ebke6Tfia/qGEIKGPMp6enpf4MzEDRM4//8H1mcjm9k3C/KUMhroLnLf4FiTMLFxVNKQ ncsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=d6xPzoPRvun5BFpuzOJ+mAXoIVX75cBTsBMgHzBhPRs=; b=sekDTgTW+jPvi4FfABmmjsT0zEEgSyGMNZSmh2EnDx+jrJvYJ8nkEPb7Idx3ePcP6Q +123q8z3xPb7SFTWwZt0d+52cK3Zd0vUUwKJ/lid8ZelMYogGFQqGV1kSllf/12uiIi1 7KqRx5B8PzUsgKIMUQ1foD4jszkFYecsByNCQWDAWD9mOzu2yYcyqniGR1Ac08Trb5aF UQhGkOULDmdT5Y6vNO8Mjmb/38Vv5qCklpKgZC/oyh7kX5qrVmONPtFoSB0E7GkGWgE0 gsn5T/bl4Ib66W/Zfce0Vl0KHUJbG3gUtWujywxft5tIm0p/vBeHITtTi9E5QiWC97gy znzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iA099m46; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l7si2101312pgh.79.2019.06.07.08.44.08; Fri, 07 Jun 2019 08:44:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iA099m46; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730293AbfFGPlW (ORCPT + 99 others); Fri, 7 Jun 2019 11:41:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:51148 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729325AbfFGPlV (ORCPT ); Fri, 7 Jun 2019 11:41:21 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E0C0B212F5; Fri, 7 Jun 2019 15:41:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559922080; bh=TwpQH5IEGVm1BfQanqjx4j2oQNl5Cm9iB/CvJp+FJHQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iA099m467p3siyG/5phXQWhdHQN4pObatnXxiOE3v5y4tKhpBs4k1EkKZmvU/8tRn 0xp0k5tVVtf4tVj8Oh3QSYs441B8diVlWm4bFON8fR7WfBSY23M4awoZb5qKjQE3U7 rso5ZDJ8hgYjjV7fhC96Z4ejO+7Obuj9Grh20pzU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com Subject: [PATCH 4.14 29/69] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor Date: Fri, 7 Jun 2019 17:39:10 +0200 Message-Id: <20190607153851.981453928@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190607153848.271562617@linuxfoundation.org> References: <20190607153848.271562617@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream. The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the USB core, caused by a failure to check the actual size of a BOS descriptor. This patch adds a check to make sure the descriptor is at least as large as it is supposed to be, so that the code doesn't inadvertently access memory beyond the end of the allocated region when assigning to dev->bos->desc->bNumDeviceCaps later on. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com CC: Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/config.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -936,8 +936,8 @@ int usb_get_bos_descriptor(struct usb_de /* Get BOS descriptor */ ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE); - if (ret < USB_DT_BOS_SIZE) { - dev_err(ddev, "unable to get BOS descriptor\n"); + if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) { + dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n"); if (ret >= 0) ret = -ENOMSG; kfree(bos);