From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Secunia Research <vuln@secunia.com>,
Shuah Khan <shuahkh@osg.samsung.com>
Subject: [PATCH 3.18 16/45] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
Date: Thu, 15 Feb 2018 16:17:07 +0100 [thread overview]
Message-ID: <20180215144119.306946021@linuxfoundation.org> (raw)
In-Reply-To: <20180215144115.863307741@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuah Khan <shuahkh@osg.samsung.com>
commit c6688ef9f29762e65bce325ef4acd6c675806366 upstream.
Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations. Validate early in get_pipe() and return
failure.
Reported-by: Secunia Research <vuln@secunia.com>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/usbip/stub_rx.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
--- a/drivers/usb/usbip/stub_rx.c
+++ b/drivers/usb/usbip/stub_rx.c
@@ -341,11 +341,13 @@ static struct stub_priv *stub_priv_alloc
return priv;
}
-static int get_pipe(struct stub_device *sdev, int epnum, int dir)
+static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu)
{
struct usb_device *udev = sdev->udev;
struct usb_host_endpoint *ep;
struct usb_endpoint_descriptor *epd = NULL;
+ int epnum = pdu->base.ep;
+ int dir = pdu->base.direction;
if (epnum < 0 || epnum > 15)
goto err_ret;
@@ -358,6 +360,7 @@ static int get_pipe(struct stub_device *
goto err_ret;
epd = &ep->desc;
+
if (usb_endpoint_xfer_control(epd)) {
if (dir == USBIP_DIR_OUT)
return usb_sndctrlpipe(udev, epnum);
@@ -380,6 +383,27 @@ static int get_pipe(struct stub_device *
}
if (usb_endpoint_xfer_isoc(epd)) {
+ /* validate packet size and number of packets */
+ unsigned int maxp, packets, bytes;
+
+#define USB_EP_MAXP_MULT_SHIFT 11
+#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT)
+#define USB_EP_MAXP_MULT(m) \
+ (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT)
+
+ maxp = usb_endpoint_maxp(epd);
+ maxp *= (USB_EP_MAXP_MULT(
+ __le16_to_cpu(epd->wMaxPacketSize)) + 1);
+ bytes = pdu->u.cmd_submit.transfer_buffer_length;
+ packets = DIV_ROUND_UP(bytes, maxp);
+
+ if (pdu->u.cmd_submit.number_of_packets < 0 ||
+ pdu->u.cmd_submit.number_of_packets > packets) {
+ dev_err(&sdev->udev->dev,
+ "CMD_SUBMIT: isoc invalid num packets %d\n",
+ pdu->u.cmd_submit.number_of_packets);
+ return -1;
+ }
if (dir == USBIP_DIR_OUT)
return usb_sndisocpipe(udev, epnum);
else
@@ -388,7 +412,7 @@ static int get_pipe(struct stub_device *
err_ret:
/* NOT REACHED */
- dev_err(&sdev->interface->dev, "get pipe, epnum %d\n", epnum);
+ dev_err(&sdev->udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum);
return -1;
}
@@ -453,7 +477,7 @@ static void stub_recv_cmd_submit(struct
struct stub_priv *priv;
struct usbip_device *ud = &sdev->ud;
struct usb_device *udev = sdev->udev;
- int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction);
+ int pipe = get_pipe(sdev, pdu);
if (pipe == -1)
return;
next prev parent reply other threads:[~2018-02-15 15:17 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-15 15:16 [PATCH 3.18 00/45] 3.18.95-stable review Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 01/45] vhost_net: stop device during reset owner Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 02/45] ip6mr: fix stale iterator Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 03/45] net: igmp: add a missing rcu locking section Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 04/45] qlcnic: fix deadlock bug Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 05/45] r8169: fix RTL8168EP take too long to complete driver initialization Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 06/45] tcp: release sk_frag.page in tcp_disconnect Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 07/45] ARM: exynos_defconfig: Enable options to mount a rootfs via NFS Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 08/45] ARM: exynos_defconfig: Enable NFSv4 client Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 09/45] KEYS: encrypted: fix buffer overread in valid_master_desc() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 10/45] ipv4: Map neigh lookup keys in __ipv4_neigh_lookup_noref() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 11/45] cifs: Fix missing put_xid in cifs_file_strict_mmap Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 12/45] cifs: Fix autonegotiate security settings mismatch Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 13/45] CIFS: zero sensitive data when freeing Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 14/45] posix-timer: Properly check sigevent->sigev_notify Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 15/45] usbip: fix stub_rx: get_pipe() to validate endpoint number Greg Kroah-Hartman
2018-02-15 15:17 ` Greg Kroah-Hartman [this message]
2018-02-15 15:17 ` [PATCH 3.18 17/45] usbip: prevent vhci_hcd driver from leaking a socket pointer address Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 18/45] usbip: Fix potential format overflow in userspace tools Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 19/45] usb: usbip: Fix possible deadlocks reported by lockdep Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 20/45] usbip: vhci-hcd: Add USB3 SuperSpeed support Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 21/45] usbip: prevent leaking socket pointer address in messages Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 22/45] usbip: stub: stop printing kernel pointer addresses " Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 23/45] usbip: vhci: " Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 24/45] dccp: CVE-2017-8824: use-after-free in DCCP code Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 25/45] media: dvb-usb-v2: lmedm04: Improve logic checking of warm start Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 26/45] media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 27/45] mtd: nand: Fix nand_do_read_oob() return value Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 28/45] NFS: Add a cond_resched() to nfs_commit_release_pages() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 29/45] NFS: commit direct writes even if they fail partially Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 30/45] kernfs: fix regression in kernfs_fop_write caused by wrong type Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 31/45] crypto: hash - introduce crypto_hash_alg_has_setkey() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 32/45] crypto: cryptd - pass through absence of ->setkey() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 33/45] crypto: caam - fix endless loop when DECO acquire fails Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 34/45] arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 35/45] media: cxusb, dib0700: ignore XC2028_I2C_FLUSH Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 36/45] kernel/async.c: revert "async: simplify lowest_in_progress()" Greg Kroah-Hartman
2018-02-15 15:17 ` [OpenRISC] [PATCH 3.18 37/45] signal/openrisc: Fix do_unaligned_access to send the proper signal Greg Kroah-Hartman
2018-02-15 15:17 ` Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 38/45] signal/sh: Ensure si_signo is initialized in do_divide_error Greg Kroah-Hartman
2018-02-15 15:17 ` Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 39/45] alpha: fix crash if pthread_create races with signal delivery Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 40/45] alpha: fix reboot on Avanti platform Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 41/45] xtensa: fix futex_atomic_cmpxchg_inatomic Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 42/45] EDAC, octeon: Fix an uninitialized variable warning Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 43/45] pktcdvd: Fix pkt_setup_dev() error path Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 44/45] ACPI: sbshc: remove raw pointer from printk() message Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 45/45] mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy Greg Kroah-Hartman
2018-02-15 15:35 ` [PATCH 3.18 00/45] 3.18.95-stable review Harsh Shandilya
2018-02-15 16:44 ` Greg Kroah-Hartman
2018-02-15 16:44 ` Greg Kroah-Hartman
2018-02-15 19:16 ` kernelci.org bot
2018-02-16 20:07 ` Kevin Hilman
2018-02-16 20:12 ` Greg Kroah-Hartman
2018-02-15 22:01 ` Shuah Khan
2018-02-16 14:11 ` Guenter Roeck
2018-02-16 19:13 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180215144119.306946021@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=shuahkh@osg.samsung.com \
--cc=stable@vger.kernel.org \
--cc=vuln@secunia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.