Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2897724pxb; Tue, 24 Aug 2021 10:07:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz1cYO7Awiw55FZzbxLVFY7/l42zreAMCMFp11VNhhhyqdeQwwWZmDimKrvLhhe3xN8HStp X-Received: by 2002:a92:de4b:: with SMTP id e11mr26958048ilr.22.1629824841367; Tue, 24 Aug 2021 10:07:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629824841; cv=none; d=google.com; s=arc-20160816; b=iv+r5Gvyzr5NIeYTAfRUm/jDG1Q+WENjYA1aBoJxrplN1EwRNpXE1GKvzJl23fbqjd bGQAJrlG8PS2SWAe9ZT+sePskYrVFJ+syo/Wxx9kxm/0PvsN9xGCWHDEAfuI2siOMr5c vJcWzYM5luFjsH6uiLF83p8lMC5cab3dbrly3on3u/y/pKy3fsV1vE4i13L27F2L6n99 3gOIzDuPjSFtbQQZPksOzgECTnOksrnmQ5lyHarTCaXPxFHKoSBzeSnG6T9uIVgHU3NK 9BmcQW+rKO3wmU+Dwy6LBIfUBX7ESYzGdDL4TdTbzlIljmVWOQtBImDzTkyQrQ6uDqpW 28+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=5kk1kukVhrLJWoZMC6BJmQosenXoTUqKHXo4MueHzoY=; b=hfK9OiBp8ybkcnak+Zbl9xHVf3E9ONGBKXjXzfYSNJZ76P8rDQuIbd0M2ag39mI34o OEgQBmcijlEMZdftuExV7gABaS0EsIzXbyUQ+ashVEti30n05dvvDsyP0ts3ZhEjWe1M f0MIDn3uMVwhxwGiphDvSSTdwuZQ8FrQX4IrfBTVzzhQwoQC3KGkRZKtD0qfQTNmwjzR xzCHq0lVL2T3tclLMQOmHazu7C3yVayKbBnTXf6pDyJsuJ8/w9TX5a8JpaI4Cm9ZuABM 4Efda1ggeykNFLTP0agvCCjIzHoebSbF5RFVU8AZ7uGjCm1R0EG21Acd4D3AKJ7Cz8uh uVMg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HKg81o89; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i7si17546139ilk.127.2021.08.24.10.07.06; Tue, 24 Aug 2021 10:07:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HKg81o89; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239459AbhHXRHG (ORCPT + 99 others); Tue, 24 Aug 2021 13:07:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:45414 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239504AbhHXRET (ORCPT ); Tue, 24 Aug 2021 13:04:19 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3D65161409; Tue, 24 Aug 2021 16:59:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1629824366; bh=udT0J8LbuFSyRMXl5YH7r4HlqXhQ2HNqHnm2/jMlvEw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HKg81o89S9ZqmheXR/u62md8MthFUu7XCmSUl3tFvFlvWcggNTx9yKsW/dfESne5S CvG+XK2JnNTgCUE2ryioh3PA2qH53oocauZg9uCc86HQuRxqXnXBRvD6X4m5XVzaL+ RV9bLkgNywbA4n3NCtPIentQk8i2b4J68Op/5cjbZX65pLCXgH39/Le+BT7g1Tj0R1 NYe6Moj+zNrAGL+ta+hoMwjtYgqjtXD5LZ4ZXWwb2u/nQLikN6KPpzGG/P8b5AhG9X aAM8ZmhviMdUG3kTOf5IjFpAQ3tgvH3SfbYo4oZ65lqGGOMQGTsgMM0hdMwOT4LPew UKGnEDDgMYezQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Alan Stern , syzbot+72af3105289dcb4c055b@syzkaller.appspotmail.com, Greg Kroah-Hartman , Sasha Levin Subject: [PATCH 5.10 15/98] USB: core: Fix incorrect pipe calculation in do_proc_control() Date: Tue, 24 Aug 2021 12:57:45 -0400 Message-Id: <20210824165908.709932-16-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210824165908.709932-1-sashal@kernel.org> References: <20210824165908.709932-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.61-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-5.10.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 5.10.61-rc1 X-KernelTest-Deadline: 2021-08-26T16:58+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern [ Upstream commit b0863f1927323110e3d0d69f6adb6a91018a9a3c ] When the user submits a control URB via usbfs, the user supplies the bRequestType value and the kernel uses it to compute the pipe value. However, do_proc_control() performs this computation incorrectly in the case where the bRequestType direction bit is set to USB_DIR_IN and the URB's transfer length is 0: The pipe's direction is also set to IN but it should be OUT, which is the direction the actual transfer will use regardless of bRequestType. Commit 5cc59c418fde ("USB: core: WARN if pipe direction != setup packet direction") added a check to compare the direction bit in the pipe value to a control URB's actual direction and to WARN if they are different. This can be triggered by the incorrect computation mentioned above, as found by syzbot. This patch fixes the computation, thus avoiding the WARNing. Reported-and-tested-by: syzbot+72af3105289dcb4c055b@syzkaller.appspotmail.com Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/20210712185436.GB326369@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/core/devio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 2218941d35a3..73b60f013b20 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1133,7 +1133,7 @@ static int do_proc_control(struct usb_dev_state *ps, "wIndex=%04x wLength=%04x\n", ctrl->bRequestType, ctrl->bRequest, ctrl->wValue, ctrl->wIndex, ctrl->wLength); - if (ctrl->bRequestType & 0x80) { + if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) { pipe = usb_rcvctrlpipe(dev, 0); snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0); -- 2.30.2