Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1194414ybn; Wed, 2 Oct 2019 12:14:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqxKAELF2uvM0yBUR9ZkVR1gRPYrXo4JpUbsxHEAbX9KD5no8R7H3oU/FXz2YSmMxKwSggQr X-Received: by 2002:a50:ef02:: with SMTP id m2mr5627663eds.157.1570043690071; Wed, 02 Oct 2019 12:14:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570043690; cv=none; d=google.com; s=arc-20160816; b=ABscPueDLZo2H783KAgLSDne1pMzMKSc48mJV3VcKFlyng6XPSgKrg8+dY+NHeKuCq 6Vapsm6CSZUFRJ4Upi8ZdsObOsfsioaEIS7lzvUB2ZWfVJzrevaJmKxdnkM4uYrSm3wg Q+e3fM+HPXJ3QnIyp4nrK4EVbKk7iQ6zCFR6f0iOHs0EtROIboCT82zqOct4RClBDVgj eOhYtPZmEAbVMwYjle+YPIpU9A4Zr7Qj/WaFPAeAbY9AgYYrpDkf5kUPmndX7WP3zqzI oEkBG4JEmkkXnt2RtClA8WUtwu5awDrZ+wrTiRBk6r+ZeE56TOH5a5Q79MtdEOlQ4OmN KruA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=pqb50CCSQ36P7XZvB6qzv1oG3kVAT4H1TuwBdNg7sMo=; b=FjpUWBbCAI7yrdCgrdELiENtP0m0/3sH4+PDLc6IS7S/ebOSB0ORbXGP49X3WM14mA GUxgk03E9CsiVRlmuiRHxiQ1PAVekJmNtKnPtubHOPc9g/hU1UGwLi8iMydsoA+VzyQK C5QUAEIE4w2o5woQomOx9YIUBnA0uLsciZPyowupo0oiGmgDM15Ntf2v2BpS2e+1UoWr 1Wa87xHMlQUEZ8YPtMJMEu+0/hfNimV0sj112QZefEAuAkpJ+plE3bUZKIRIlKmKuKpr YQeaSa+sQsWM4JjHP8N8F9n7CZBl9zn8sZq6yDr0EimxoynbDerX8jONwVXYhqCgQd84 f4nQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r5si39816edo.14.2019.10.02.12.14.26; Wed, 02 Oct 2019 12:14:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729112AbfJBTIJ (ORCPT + 99 others); Wed, 2 Oct 2019 15:08:09 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35200 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728763AbfJBTIH (ORCPT ); Wed, 2 Oct 2019 15:08:07 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iFjyn-00035B-4k; Wed, 02 Oct 2019 20:08:05 +0100 Received: from ben by deadeye with local (Exim 4.92.1) (envelope-from ) id 1iFjym-0003aF-Ul; Wed, 02 Oct 2019 20:08:04 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Greg Kroah-Hartman" , "Alan Stern" Date: Wed, 02 Oct 2019 20:06:51 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 06/87] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.75-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Alan Stern commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream. The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the USB core, caused by a failure to check the actual size of a BOS descriptor. This patch adds a check to make sure the descriptor is at least as large as it is supposed to be, so that the code doesn't inadvertently access memory beyond the end of the allocated region when assigning to dev->bos->desc->bNumDeviceCaps later on. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/core/config.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -897,8 +897,8 @@ int usb_get_bos_descriptor(struct usb_de /* Get BOS descriptor */ ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE); - if (ret < USB_DT_BOS_SIZE) { - dev_err(ddev, "unable to get BOS descriptor\n"); + if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) { + dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n"); if (ret >= 0) ret = -ENOMSG; kfree(bos);