Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3021886pxa; Tue, 25 Aug 2020 09:20:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwK+HCI69h0d9FcArOh1qbEwZ34kdo9ueGXa/Xn0qfENnjIeH+Q55DxBb9MwLWUCxRNetqJ X-Received: by 2002:a05:6402:1545:: with SMTP id p5mr10548386edx.388.1598372456789; Tue, 25 Aug 2020 09:20:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598372456; cv=none; d=google.com; s=arc-20160816; b=Zv3UM5jOk9kTfhgaClG4/Ji8M4F5oa7feoFfN2xHbhXDZHrg5XMPEzRW6hE//XC/PD OA//J/3mCagNKJNu9DLCIe8Coo1f76hm38KOZCd59eJmg7pz2r3KzVJlkC3NCzOZK1Jw Pnkl3LeiaSNYzCiDnidfFX70OwVdZxjkIy6F/3zC4LQuz9Wu1oub098bmR9UgHNX0861 eFhkcE1lbisdA5w5P3DBCzOysE5kaxKUDrZnPbcLkTnOWH1y1Z5QLs9fIlkZ8K1ktu7S JM2nDGJm8ZKKsdbWXPlodc8bqfZF0M+houtnTQBXBdxrEsIGz4uaTWOcYEr9O4xoFHXi crTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from; bh=48NJQG0vh1bYX9Eh18rzr2Im6hFaC92ebCwuK/ZH6y0=; b=bsVs0tGfpr3zd+ai8bhp3OcHbjro9WVBMaG/hKj7LJXUNrHKMLjGZzmh8aiV+YovC4 Z4FYbsyYAaFqjuWBHPAE5iSDYfFQgoIc9A74jvV/regIzMeoQf9LPiXZXdiTp1ktxx61 3We9fAV/nqNIAcPWeKJBfOg03IxW3rO+SCbwTED6wsemuDC2DXGgz/scjsrZJv1CqrJj nQk4+Nr6r8gBbpw2+JYbpjDDp1QXmj2h7aNmPn6H6x0gjKscq0DKfbPG7h3OBzqxdamQ MU2iXFURfQQI8m7vKTT03O0J5o7n3IoypAzaRBGqar5wFlVC/QbdwOM3y9fHNkwsvYY6 ZHfg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jz19si592773ejb.241.2020.08.25.09.20.33; Tue, 25 Aug 2020 09:20:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727104AbgHYQRm (ORCPT + 99 others); Tue, 25 Aug 2020 12:17:42 -0400 Received: from mail5.windriver.com ([192.103.53.11]:51630 "EHLO mail5.wrs.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726457AbgHYQRl (ORCPT ); Tue, 25 Aug 2020 12:17:41 -0400 Received: from ALA-HCA.corp.ad.wrs.com (ala-hca.corp.ad.wrs.com [147.11.189.40]) by mail5.wrs.com (8.15.2/8.15.2) with ESMTPS id 07PGGq4Z005452 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 25 Aug 2020 09:17:13 -0700 Received: from pek-lpggp1.wrs.com (128.224.153.74) by ALA-HCA.corp.ad.wrs.com (147.11.189.40) with Microsoft SMTP Server id 14.3.487.0; Tue, 25 Aug 2020 09:17:01 -0700 From: To: CC: , Subject: [PATCH] USB: core: limit access to rawdescriptors which were not allocated Date: Wed, 26 Aug 2020 00:16:59 +0800 Message-ID: <20200825161659.19008-1-yanfei.xu@windriver.com> X-Mailer: git-send-email 2.18.2 MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yanfei Xu When using systemcall to read the rawdescriptors, make sure we won't access to the rawdescriptors never allocated, which are number exceed the USB_MAXCONFIG. Reported-by: syzbot+256e56ddde8b8957eabd@syzkaller.appspotmail.com Signed-off-by: Yanfei Xu --- drivers/usb/core/sysfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c index a2ca38e25e0c..1a7a625e5f55 100644 --- a/drivers/usb/core/sysfs.c +++ b/drivers/usb/core/sysfs.c @@ -895,7 +895,8 @@ read_descriptors(struct file *filp, struct kobject *kobj, * configurations (config plus subsidiary descriptors). */ for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations && - nleft > 0; ++cfgno) { + nleft > 0 && + cfgno < USB_MAXCONFIG; ++cfgno) { if (cfgno < 0) { src = &udev->descriptor; srclen = sizeof(struct usb_device_descriptor); -- 2.18.2