From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: USB: s2255 & stkwebcam: fix oops with malicious USB descriptors From: Johan Hovold Message-Id: <20190416113343.GJ775@localhost> Date: Tue, 16 Apr 2019 13:33:43 +0200 To: Young Xiao <92siuyang@gmail.com> Cc: linux-usb@vger.kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, greg@kroah.com, mchehab@kernel.org, keescook@chromium.org, hans.verkuil@cisco.com, Young Xiao List-ID: T24gVHVlLCBBcHIgMTYsIDIwMTkgYXQgMDE6MjY6NDVQTSArMDIwMCwgSm9oYW4gSG92b2xkIHdy b3RlOgo+IE9uIFRodSwgQXByIDExLCAyMDE5IGF0IDEyOjU0OjEyUE0gKzA4MDAsIFlvdW5nIFhp YW8gd3JvdGU6Cj4gPiBGcm9tOiBZb3VuZyBYaWFvIDxZYW5nWDkyQGhvdG1haWwuY29tPgo+ID4g Cj4gPiBUaGUgZHJpdmVyIGV4cGVjdHMgYXQgbGVhc3Qgb25lIHZhbGlkIGVuZHBvaW50LiBJZiBn aXZlbgo+ID4gbWFsaWNpb3VzIGRlc2NyaXB0b3JzIHRoYXQgc3BlY2lmeSAwIGZvciB0aGUgbnVt YmVyIG9mIGVuZHBvaW50cywKPiA+IGl0IHdpbGwgY3Jhc2ggaW4gdGhlIHByb2JlIGZ1bmN0aW9u LiAgRW5zdXJlIHRoZXJlIGlzIGF0IGxlYXN0Cj4gPiBvbmUgZW5kcG9pbnQgb24gdGhlIGludGVy ZmFjZSBiZWZvcmUgdXNpbmcgaXQuCj4gCj4gV2h5IGRvIGNsYWltIGl0IHdpbGwgY3Jhc2g/CgpP aywgSSBzZWUgbm93IHRoYXQgQmrDtnJuIGFscmVhZHkgcG9pbnRlZCB0aGlzIG91dCB0byB5b3Ug aW4geW91cgp1cGRhdGVkIHZlcnNpb24gb2YgdGhpcyBwYXRjaC4KCj4gPiBUaGlzIHZ1bG5lcmFi aWxpdHkgaXMgc2FtZSBhcyBDVkUtMjAxNi0yMTg4Lgo+IAo+IE5vdGUgdGhhdCB0aGUgImZpeCIg Zm9yIHRoaXMgQ1ZFIHRoYXQgeW91J3JlIG5vdyBjb3B5aW5nIHdhcyBpbmNvbXBsZXRlLgo+IEhl cmUncyB0aGUgcHJvcGVyIGZpeDoKPiAKPiAJYjczMjFlODFmYzM2ICgiVVNCOiBpb3dhcnJpb3I6 IGZpeCBOVUxMLWRlcmVmIGF0IHByb2JlIikKPiAKPiA+IFNpZ25lZC1vZmYtYnk6IFlvdW5nIFhp YW8gPFlhbmdYOTJAaG90bWFpbC5jb20+Cj4gPiAtLS0KPiA+ICBkcml2ZXJzL21lZGlhL3VzYi9z MjI1NS9zMjI1NWRydi5jICAgICAgIHwgNyArKysrKysrCj4gPiAgZHJpdmVycy9tZWRpYS91c2Iv c3Rrd2ViY2FtL3N0ay13ZWJjYW0uYyB8IDYgKysrKysrCj4gPiAgMiBmaWxlcyBjaGFuZ2VkLCAx MyBpbnNlcnRpb25zKCspCj4gPiAKPiA+IGRpZmYgLS1naXQgYS9kcml2ZXJzL21lZGlhL3VzYi9z MjI1NS9zMjI1NWRydi5jIGIvZHJpdmVycy9tZWRpYS91c2IvczIyNTUvczIyNTVkcnYuYwo+ID4g aW5kZXggNWIzZTU0Yi4uN2ZkZjE1OSAxMDA2NDQKPiA+IC0tLSBhL2RyaXZlcnMvbWVkaWEvdXNi L3MyMjU1L3MyMjU1ZHJ2LmMKPiA+ICsrKyBiL2RyaXZlcnMvbWVkaWEvdXNiL3MyMjU1L3MyMjU1 ZHJ2LmMKPiA+IEBAIC0yMjYzLDYgKzIyNjMsMTMgQEAgc3RhdGljIGludCBzMjI1NV9wcm9iZShz dHJ1Y3QgdXNiX2ludGVyZmFjZSAqaW50ZXJmYWNlLAo+ID4gIAlpZmFjZV9kZXNjID0gaW50ZXJm YWNlLT5jdXJfYWx0c2V0dGluZzsKPiA+ICAJZGV2X2RiZygmaW50ZXJmYWNlLT5kZXYsICJudW0g RVA6ICVkXG4iLAo+ID4gIAkJaWZhY2VfZGVzYy0+ZGVzYy5iTnVtRW5kcG9pbnRzKTsKPiA+ICsK PiA+ICsJaWYgKGlmYWNlX2Rlc2MtPmRlc2MuYk51bUVuZHBvaW50cyA8IDEpIHsKPiA+ICsJCWRl dl9lcnIoJmludGVyZmFjZS0+ZGV2LCAiSW52YWxpZCBudW1iZXIgb2YgZW5kcG9pbnRzXG4iKTsK PiA+ICsJCXJldHZhbCA9IC1FSU5WQUw7Cj4gPiArCQlnb3RvIGVycm9yOwo+ID4gKwl9Cj4gPiAr Cj4gPiAgCWZvciAoaSA9IDA7IGkgPCBpZmFjZV9kZXNjLT5kZXNjLmJOdW1FbmRwb2ludHM7ICsr aSkgewo+IAo+IEJlc2lkZXMgdGhhdCB5b3UgZGlkbid0IGV2ZW4gYm90aGVyIGNvbXBpbGUtdGVz dGluZyB0aGlzLCB0aGVyZSBpcyBubwo+IGJ1ZyBoZXJlIHRvIGZpeCB0byBiZWdpbiB3aXRoLgo+ IAo+IElmIGJOdW1FbmRwb2ludHMgaXMgemVybyB0aGlzIGxvb3Agd2lsbCBleGVjdXRlIGFuZCB0 aGUgZHJpdmVyIGJhaWxzIG91dAo+IGp1c3QgYWZ0ZXIgc2luY2UgZGV2LT5yZWFkX2VuZHBvaW50 IGlzIE5VTEwuCgpUaGF0IHdhcyBtZWFudCB0byByZWFkICJ3aWxsIG5ldmVyIGV4ZWN1dGUiLgoK Sm9oYW4K From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, T_DKIMWL_WL_HIGH,USER_AGENT_MUTT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 198C1C10F13 for ; Tue, 16 Apr 2019 11:33:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D9F062077C for ; Tue, 16 Apr 2019 11:33:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555414426; bh=MlxSTPGFW2Tay5rjzFaS6Q9MzzskYlaWLTny8l5AxMg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=hikD6qnT9z4fHrY3iIfMO7lufzd/PIT3QxxQVNbrgahSaQuI/2QliU9XogdSAaY8b b9Z8hQkjmd+Yu8A1KTDHNsdGquwbySVMDWBlAoctecuYMVnpV0WwcYzjhKOtLreIsY yU4mxIdchdaDyT/x5RpdmWR4nfCIrjl9q79ucPik= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729102AbfDPLdl (ORCPT ); Tue, 16 Apr 2019 07:33:41 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:45050 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726241AbfDPLdl (ORCPT ); Tue, 16 Apr 2019 07:33:41 -0400 Received: by mail-lf1-f65.google.com with SMTP id h18so15705301lfj.11; Tue, 16 Apr 2019 04:33:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=CS4NO5XoAVBszCZuPPtAOq5Inz9Vw8UIugRH0CNHl4U=; b=HZ0Nrt0xLDPlRsgOCTljC+9yQG+yxnmA8T7Ne8326nVzMGYRwar1HgtBzR8jY5gA66 xuGlv2WCtDfn0j3MixA1SFPAT7szUF6NLNM8Ifm9CTnqEohvx6lGmmMs94CWkZBSVRI9 olf65RPO7Nd723Xc/rf6bG7inkwZh37vErCXJa/Num1bcw2OOTWWuW7Vx9vd03M9Hv0r BEyMx2MTGqbAsTON7am4EvW/NKNQeRyVlFT/cCBYT1yjtVICHM4bgsBP7LaoT8Bu3lEd ztyXapMrOEDWWq2zrz0j0beuvaBeRxnBRzYMyYVnz+L/+sYrmCx+cD7+XGtZD27LW8Vo Z2Qg== X-Gm-Message-State: APjAAAXXcvWMRC0WBygHn1Y4Sw/teKgHz0BhJKPyiqW9pxKS6KDQhYGt L29n+Ip3lqhP1aBHVQJiUCs= X-Google-Smtp-Source: APXvYqzMgAu7ahq6a5UL4Ej/0GSD4KNsUnU7Oh6tPqpMpoRSWSp8qhp5QPpgx1xfCnPV9l69APKFqQ== X-Received: by 2002:ac2:5088:: with SMTP id f8mr19541978lfm.107.1555414419069; Tue, 16 Apr 2019 04:33:39 -0700 (PDT) Received: from xi.terra (c-74bee655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.190.116]) by smtp.gmail.com with ESMTPSA id z16sm820265lfi.9.2019.04.16.04.33.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Apr 2019 04:33:38 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.91) (envelope-from ) id 1hGMLP-0006z4-Oe; Tue, 16 Apr 2019 13:33:43 +0200 Date: Tue, 16 Apr 2019 13:33:43 +0200 From: Johan Hovold To: Young Xiao <92siuyang@gmail.com> Cc: linux-usb@vger.kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, greg@kroah.com, mchehab@kernel.org, keescook@chromium.org, hans.verkuil@cisco.com, Young Xiao Subject: Re: [PATCH] USB: s2255 & stkwebcam: fix oops with malicious USB descriptors Message-ID: <20190416113343.GJ775@localhost> References: <1554958452-29794-1-git-send-email-92siuyang@gmail.com> <20190416112645.GI775@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20190416112645.GI775@localhost> User-Agent: Mutt/1.11.4 (2019-03-13) Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Message-ID: <20190416113343.dXFTHV7WBCJGrT9fkdsZIh5DYTEtM7SwbABaI4lZZqc@z> On Tue, Apr 16, 2019 at 01:26:45PM +0200, Johan Hovold wrote: > On Thu, Apr 11, 2019 at 12:54:12PM +0800, Young Xiao wrote: > > From: Young Xiao > > > > The driver expects at least one valid endpoint. If given > > malicious descriptors that specify 0 for the number of endpoints, > > it will crash in the probe function. Ensure there is at least > > one endpoint on the interface before using it. > > Why do claim it will crash? Ok, I see now that Björn already pointed this out to you in your updated version of this patch. > > This vulnerability is same as CVE-2016-2188. > > Note that the "fix" for this CVE that you're now copying was incomplete. > Here's the proper fix: > > b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") > > > Signed-off-by: Young Xiao > > --- > > drivers/media/usb/s2255/s2255drv.c | 7 +++++++ > > drivers/media/usb/stkwebcam/stk-webcam.c | 6 ++++++ > > 2 files changed, 13 insertions(+) > > > > diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c > > index 5b3e54b..7fdf159 100644 > > --- a/drivers/media/usb/s2255/s2255drv.c > > +++ b/drivers/media/usb/s2255/s2255drv.c > > @@ -2263,6 +2263,13 @@ static int s2255_probe(struct usb_interface *interface, > > iface_desc = interface->cur_altsetting; > > dev_dbg(&interface->dev, "num EP: %d\n", > > iface_desc->desc.bNumEndpoints); > > + > > + if (iface_desc->desc.bNumEndpoints < 1) { > > + dev_err(&interface->dev, "Invalid number of endpoints\n"); > > + retval = -EINVAL; > > + goto error; > > + } > > + > > for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { > > Besides that you didn't even bother compile-testing this, there is no > bug here to fix to begin with. > > If bNumEndpoints is zero this loop will execute and the driver bails out > just after since dev->read_endpoint is NULL. That was meant to read "will never execute". Johan