Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1194414ybn;
        Wed, 2 Oct 2019 12:14:50 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxKAELF2uvM0yBUR9ZkVR1gRPYrXo4JpUbsxHEAbX9KD5no8R7H3oU/FXz2YSmMxKwSggQr
X-Received: by 2002:a50:ef02:: with SMTP id m2mr5627663eds.157.1570043690071;
        Wed, 02 Oct 2019 12:14:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570043690; cv=none;
        d=google.com; s=arc-20160816;
        b=ABscPueDLZo2H783KAgLSDne1pMzMKSc48mJV3VcKFlyng6XPSgKrg8+dY+NHeKuCq
         6Vapsm6CSZUFRJ4Upi8ZdsObOsfsioaEIS7lzvUB2ZWfVJzrevaJmKxdnkM4uYrSm3wg
         Q+e3fM+HPXJ3QnIyp4nrK4EVbKk7iQ6zCFR6f0iOHs0EtROIboCT82zqOct4RClBDVgj
         eOhYtPZmEAbVMwYjle+YPIpU9A4Zr7Qj/WaFPAeAbY9AgYYrpDkf5kUPmndX7WP3zqzI
         oEkBG4JEmkkXnt2RtClA8WUtwu5awDrZ+wrTiRBk6r+ZeE56TOH5a5Q79MtdEOlQ4OmN
         KruA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=pqb50CCSQ36P7XZvB6qzv1oG3kVAT4H1TuwBdNg7sMo=;
        b=FjpUWBbCAI7yrdCgrdELiENtP0m0/3sH4+PDLc6IS7S/ebOSB0ORbXGP49X3WM14mA
         GUxgk03E9CsiVRlmuiRHxiQ1PAVekJmNtKnPtubHOPc9g/hU1UGwLi8iMydsoA+VzyQK
         C5QUAEIE4w2o5woQomOx9YIUBnA0uLsciZPyowupo0oiGmgDM15Ntf2v2BpS2e+1UoWr
         1Wa87xHMlQUEZ8YPtMJMEu+0/hfNimV0sj112QZefEAuAkpJ+plE3bUZKIRIlKmKuKpr
         YQeaSa+sQsWM4JjHP8N8F9n7CZBl9zn8sZq6yDr0EimxoynbDerX8jONwVXYhqCgQd84
         f4nQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r5si39816edo.14.2019.10.02.12.14.26;
        Wed, 02 Oct 2019 12:14:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729112AbfJBTIJ (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Wed, 2 Oct 2019 15:08:09 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35200 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1728763AbfJBTIH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Oct 2019 15:08:07 -0400
Received: from [192.168.4.242] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1iFjyn-00035B-4k; Wed, 02 Oct 2019 20:08:05 +0100
Received: from ben by deadeye with local (Exim 4.92.1)
        (envelope-from <ben@decadent.org.uk>)
        id 1iFjym-0003aF-Ul; Wed, 02 Oct 2019 20:08:04 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
        "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
        "Alan Stern" <stern@rowland.harvard.edu>
Date:   Wed, 02 Oct 2019 20:06:51 +0100
Message-ID: <lsq.1570043211.160890792@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
X-Patchwork-Hint: ignore
Subject: [PATCH 3.16 06/87] USB: Fix slab-out-of-bounds write in
 usb_get_bos_descriptor
In-Reply-To: <lsq.1570043210.379046399@decadent.org.uk>
X-SA-Exim-Connect-IP: 192.168.4.242
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.75-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream.

The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the
USB core, caused by a failure to check the actual size of a BOS
descriptor.  This patch adds a check to make sure the descriptor is at
least as large as it is supposed to be, so that the code doesn't
inadvertently access memory beyond the end of the allocated region
when assigning to dev->bos->desc->bNumDeviceCaps later on.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/config.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -897,8 +897,8 @@ int usb_get_bos_descriptor(struct usb_de
 
 	/* Get BOS descriptor */
 	ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE);
-	if (ret < USB_DT_BOS_SIZE) {
-		dev_err(ddev, "unable to get BOS descriptor\n");
+	if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) {
+		dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n");
 		if (ret >= 0)
 			ret = -ENOMSG;
 		kfree(bos);