From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: USB: s2255 & stkwebcam: fix oops with malicious USB descriptors From: Johan Hovold Message-Id: <20190416112645.GI775@localhost> Date: Tue, 16 Apr 2019 13:26:45 +0200 To: Young Xiao <92siuyang@gmail.com> Cc: linux-usb@vger.kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, greg@kroah.com, mchehab@kernel.org, keescook@chromium.org, hans.verkuil@cisco.com, Young Xiao List-ID: T24gVGh1LCBBcHIgMTEsIDIwMTkgYXQgMTI6NTQ6MTJQTSArMDgwMCwgWW91bmcgWGlhbyB3cm90 ZToKPiBGcm9tOiBZb3VuZyBYaWFvIDxZYW5nWDkyQGhvdG1haWwuY29tPgo+IAo+IFRoZSBkcml2 ZXIgZXhwZWN0cyBhdCBsZWFzdCBvbmUgdmFsaWQgZW5kcG9pbnQuIElmIGdpdmVuCj4gbWFsaWNp b3VzIGRlc2NyaXB0b3JzIHRoYXQgc3BlY2lmeSAwIGZvciB0aGUgbnVtYmVyIG9mIGVuZHBvaW50 cywKPiBpdCB3aWxsIGNyYXNoIGluIHRoZSBwcm9iZSBmdW5jdGlvbi4gIEVuc3VyZSB0aGVyZSBp cyBhdCBsZWFzdAo+IG9uZSBlbmRwb2ludCBvbiB0aGUgaW50ZXJmYWNlIGJlZm9yZSB1c2luZyBp dC4KCldoeSBkbyBjbGFpbSBpdCB3aWxsIGNyYXNoPwoKPiBUaGlzIHZ1bG5lcmFiaWxpdHkgaXMg c2FtZSBhcyBDVkUtMjAxNi0yMTg4LgoKTm90ZSB0aGF0IHRoZSAiZml4IiBmb3IgdGhpcyBDVkUg dGhhdCB5b3UncmUgbm93IGNvcHlpbmcgd2FzIGluY29tcGxldGUuCkhlcmUncyB0aGUgcHJvcGVy IGZpeDoKCgliNzMyMWU4MWZjMzYgKCJVU0I6IGlvd2FycmlvcjogZml4IE5VTEwtZGVyZWYgYXQg cHJvYmUiKQoKPiBTaWduZWQtb2ZmLWJ5OiBZb3VuZyBYaWFvIDxZYW5nWDkyQGhvdG1haWwuY29t Pgo+IC0tLQo+ICBkcml2ZXJzL21lZGlhL3VzYi9zMjI1NS9zMjI1NWRydi5jICAgICAgIHwgNyAr KysrKysrCj4gIGRyaXZlcnMvbWVkaWEvdXNiL3N0a3dlYmNhbS9zdGstd2ViY2FtLmMgfCA2ICsr KysrKwo+ICAyIGZpbGVzIGNoYW5nZWQsIDEzIGluc2VydGlvbnMoKykKPiAKPiBkaWZmIC0tZ2l0 IGEvZHJpdmVycy9tZWRpYS91c2IvczIyNTUvczIyNTVkcnYuYyBiL2RyaXZlcnMvbWVkaWEvdXNi L3MyMjU1L3MyMjU1ZHJ2LmMKPiBpbmRleCA1YjNlNTRiLi43ZmRmMTU5IDEwMDY0NAo+IC0tLSBh L2RyaXZlcnMvbWVkaWEvdXNiL3MyMjU1L3MyMjU1ZHJ2LmMKPiArKysgYi9kcml2ZXJzL21lZGlh L3VzYi9zMjI1NS9zMjI1NWRydi5jCj4gQEAgLTIyNjMsNiArMjI2MywxMyBAQCBzdGF0aWMgaW50 IHMyMjU1X3Byb2JlKHN0cnVjdCB1c2JfaW50ZXJmYWNlICppbnRlcmZhY2UsCj4gIAlpZmFjZV9k ZXNjID0gaW50ZXJmYWNlLT5jdXJfYWx0c2V0dGluZzsKPiAgCWRldl9kYmcoJmludGVyZmFjZS0+ ZGV2LCAibnVtIEVQOiAlZFxuIiwKPiAgCQlpZmFjZV9kZXNjLT5kZXNjLmJOdW1FbmRwb2ludHMp Owo+ICsKPiArCWlmIChpZmFjZV9kZXNjLT5kZXNjLmJOdW1FbmRwb2ludHMgPCAxKSB7Cj4gKwkJ ZGV2X2VycigmaW50ZXJmYWNlLT5kZXYsICJJbnZhbGlkIG51bWJlciBvZiBlbmRwb2ludHNcbiIp Owo+ICsJCXJldHZhbCA9IC1FSU5WQUw7Cj4gKwkJZ290byBlcnJvcjsKPiArCX0KPiArCj4gIAlm b3IgKGkgPSAwOyBpIDwgaWZhY2VfZGVzYy0+ZGVzYy5iTnVtRW5kcG9pbnRzOyArK2kpIHsKCkJl c2lkZXMgdGhhdCB5b3UgZGlkbid0IGV2ZW4gYm90aGVyIGNvbXBpbGUtdGVzdGluZyB0aGlzLCB0 aGVyZSBpcyBubwpidWcgaGVyZSB0byBmaXggdG8gYmVnaW4gd2l0aC4KCklmIGJOdW1FbmRwb2lu dHMgaXMgemVybyB0aGlzIGxvb3Agd2lsbCBleGVjdXRlIGFuZCB0aGUgZHJpdmVyIGJhaWxzIG91 dApqdXN0IGFmdGVyIHNpbmNlIGRldi0+cmVhZF9lbmRwb2ludCBpcyBOVUxMLgoKPiAgCQllbmRw b2ludCA9ICZpZmFjZV9kZXNjLT5lbmRwb2ludFtpXS5kZXNjOwo+ICAJCWlmICghZGV2LT5yZWFk X2VuZHBvaW50ICYmIHVzYl9lbmRwb2ludF9pc19idWxrX2luKGVuZHBvaW50KSkgewo+IGRpZmYg LS1naXQgYS9kcml2ZXJzL21lZGlhL3VzYi9zdGt3ZWJjYW0vc3RrLXdlYmNhbS5jIGIvZHJpdmVy cy9tZWRpYS91c2Ivc3Rrd2ViY2FtL3N0ay13ZWJjYW0uYwo+IGluZGV4IDhmNTQ1ODYuLmQyYTQ3 ODUgMTAwNjQ0Cj4gLS0tIGEvZHJpdmVycy9tZWRpYS91c2Ivc3Rrd2ViY2FtL3N0ay13ZWJjYW0u Ywo+ICsrKyBiL2RyaXZlcnMvbWVkaWEvdXNiL3N0a3dlYmNhbS9zdGstd2ViY2FtLmMKPiBAQCAt MTM1MCw2ICsxMzUwLDEyIEBAIHN0YXRpYyBpbnQgc3RrX2NhbWVyYV9wcm9iZShzdHJ1Y3QgdXNi X2ludGVyZmFjZSAqaW50ZXJmYWNlLAo+ICAJICogZm9yIHRoZSBjdXJyZW50IGFsdGVybmF0ZSBz ZXR0aW5nICovCj4gIAlpZmFjZV9kZXNjID0gaW50ZXJmYWNlLT5jdXJfYWx0c2V0dGluZzsKPiAg Cj4gKwlpZiAoaWZhY2VfZGVzYy0+ZGVzYy5iTnVtRW5kcG9pbnRzIDwgMSkgewo+ICsJCWRldl9l cnIoJmludGVyZmFjZS0+ZGV2LCAiSW52YWxpZCBudW1iZXIgb2YgZW5kcG9pbnRzXG4iKTsKPiAr CQlyZXR2YWwgPSAtRUlOVkFMOwo+ICsJCWdvdG8gZXJyb3I7Cj4gKwl9Cj4gKwo+ICAJZm9yIChp ID0gMDsgaSA8IGlmYWNlX2Rlc2MtPmRlc2MuYk51bUVuZHBvaW50czsgKytpKSB7CgpTYW1lIGhl cmUuCgo+ICAJCWVuZHBvaW50ID0gJmlmYWNlX2Rlc2MtPmVuZHBvaW50W2ldLmRlc2M7CgpKb2hh bgo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, T_DKIMWL_WL_HIGH,USER_AGENT_MUTT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE4ABC10F13 for ; Tue, 16 Apr 2019 11:26:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9FC292075B for ; Tue, 16 Apr 2019 11:26:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555414008; bh=gkDHdtUZw4LIZmkCFR8CKDA+uD3WfNPB8qcrYtx5X3U=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=zsYn1VjPPDsiSPyB5ItZgSTEkRBdOSminID1fzPO+XTcaN2vaeMGpCRt2lUxXhOiA pw3W86B8k+sbKrOe2ax25rA0pGk+6CDsvWiqHLcRRRAdYOeciJ/qbtMhc71NJhXgn8 mG7BAxhGMB7p4cr09pULzla3YeK5+rt+OG9xlQfI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728028AbfDPL0n (ORCPT ); Tue, 16 Apr 2019 07:26:43 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:35578 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726313AbfDPL0n (ORCPT ); Tue, 16 Apr 2019 07:26:43 -0400 Received: by mail-lf1-f65.google.com with SMTP id j20so2845011lfh.2; Tue, 16 Apr 2019 04:26:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=vJKHZpxwRQsFB5n0MhL4GKkRlf428UhyO+u00MshSV8=; b=FKO9u9scV+8ZfRDLnQYBixpDm1B1e3qWapPfLlJ734ZzsxdbwbgTVkrDV4MiUJsLR4 OtcgIpcEzOTk6M3XHHOYvoDmpdO1LfaKVLExf1wUaPJ5X001zIlVzHK5YnEwY9nmM2f7 cniE6k4183DovGp7nHXM3Gn7Ek86yWcnocCGOU2rqzE6JM9aTSkUlQ/quUQW7zGn+N9V 9axVXK8ct//70EC+wrC62GFA0FjxT4A7CVQNRCy0wB2+34EjilmavNgxMsV4x1uzAEQu ZyIYbi66MwqrGCzl79LHRsonHzYrdmkpPh+e/sOYsL1Fin+HIGch5UqCMDUq/v1e6G5/ b9Lg== X-Gm-Message-State: APjAAAX8GurwGt+gSPywRl/tpCva3uJ36LUuEW+uB1A5zrprFXULYbuU JaHreMHGbv1SnGWaHp52pSY= X-Google-Smtp-Source: APXvYqxWZCARybrme3NTxtAyTyCXhPJuPWGzMuQBfgX3z7SL0RhOgmInP2brmoCwIk/0nm3rv+5h2Q== X-Received: by 2002:ac2:482e:: with SMTP id 14mr24096972lft.1.1555414000929; Tue, 16 Apr 2019 04:26:40 -0700 (PDT) Received: from xi.terra (c-74bee655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.190.116]) by smtp.gmail.com with ESMTPSA id i24sm10305641ljb.31.2019.04.16.04.26.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Apr 2019 04:26:39 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.91) (envelope-from ) id 1hGMEf-0006wi-M2; Tue, 16 Apr 2019 13:26:45 +0200 Date: Tue, 16 Apr 2019 13:26:45 +0200 From: Johan Hovold To: Young Xiao <92siuyang@gmail.com> Cc: linux-usb@vger.kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, greg@kroah.com, mchehab@kernel.org, keescook@chromium.org, hans.verkuil@cisco.com, Young Xiao Subject: Re: [PATCH] USB: s2255 & stkwebcam: fix oops with malicious USB descriptors Message-ID: <20190416112645.GI775@localhost> References: <1554958452-29794-1-git-send-email-92siuyang@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline In-Reply-To: <1554958452-29794-1-git-send-email-92siuyang@gmail.com> User-Agent: Mutt/1.11.4 (2019-03-13) Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Message-ID: <20190416112645.SjXgaS6DzgeKXtOeJ0-IpdKxAw4pplZxIKviZAn6GsE@z> On Thu, Apr 11, 2019 at 12:54:12PM +0800, Young Xiao wrote: > From: Young Xiao > > The driver expects at least one valid endpoint. If given > malicious descriptors that specify 0 for the number of endpoints, > it will crash in the probe function. Ensure there is at least > one endpoint on the interface before using it. Why do claim it will crash? > This vulnerability is same as CVE-2016-2188. Note that the "fix" for this CVE that you're now copying was incomplete. Here's the proper fix: b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") > Signed-off-by: Young Xiao > --- > drivers/media/usb/s2255/s2255drv.c | 7 +++++++ > drivers/media/usb/stkwebcam/stk-webcam.c | 6 ++++++ > 2 files changed, 13 insertions(+) > > diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c > index 5b3e54b..7fdf159 100644 > --- a/drivers/media/usb/s2255/s2255drv.c > +++ b/drivers/media/usb/s2255/s2255drv.c > @@ -2263,6 +2263,13 @@ static int s2255_probe(struct usb_interface *interface, > iface_desc = interface->cur_altsetting; > dev_dbg(&interface->dev, "num EP: %d\n", > iface_desc->desc.bNumEndpoints); > + > + if (iface_desc->desc.bNumEndpoints < 1) { > + dev_err(&interface->dev, "Invalid number of endpoints\n"); > + retval = -EINVAL; > + goto error; > + } > + > for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { Besides that you didn't even bother compile-testing this, there is no bug here to fix to begin with. If bNumEndpoints is zero this loop will execute and the driver bails out just after since dev->read_endpoint is NULL. > endpoint = &iface_desc->endpoint[i].desc; > if (!dev->read_endpoint && usb_endpoint_is_bulk_in(endpoint)) { > diff --git a/drivers/media/usb/stkwebcam/stk-webcam.c b/drivers/media/usb/stkwebcam/stk-webcam.c > index 8f54586..d2a4785 100644 > --- a/drivers/media/usb/stkwebcam/stk-webcam.c > +++ b/drivers/media/usb/stkwebcam/stk-webcam.c > @@ -1350,6 +1350,12 @@ static int stk_camera_probe(struct usb_interface *interface, > * for the current alternate setting */ > iface_desc = interface->cur_altsetting; > > + if (iface_desc->desc.bNumEndpoints < 1) { > + dev_err(&interface->dev, "Invalid number of endpoints\n"); > + retval = -EINVAL; > + goto error; > + } > + > for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { Same here. > endpoint = &iface_desc->endpoint[i].desc; Johan