From: Alan Stern <stern@rowland.harvard.edu>
To: Oliver Neukum <oneukum@suse.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
USB list <linux-usb@vger.kernel.org>
Subject: Re: revisiting the issue of hardening the USB enumeration parser
Date: Thu, 16 May 2024 12:58:25 -0400 [thread overview]
Message-ID: <549323ac-e550-4921-a770-e0961b3b9151@rowland.harvard.edu> (raw)
In-Reply-To: <b94e5037-19da-4cc9-9a8a-28df8ada4795@suse.com>
On Thu, May 16, 2024 at 03:48:41PM +0200, Oliver Neukum wrote:
> Hi,
>
> you convinced me that my last attempt to look at the parser
> was fundamentally flawed. Instead I went top down from parsing
> the configuration down to endpoints. I found one major issue.
>
> static int find_next_descriptor(unsigned char *buffer, int size,
> int dt1, int dt2, int *num_skipped)
> {
> struct usb_descriptor_header *h;
> int n = 0;
> unsigned char *buffer0 = buffer;
> /* Find the next descriptor of type dt1 or dt2 */
> while (size > 0) {
> h = (struct usb_descriptor_header *) buffer;
>
> if (h->bDescriptorType == dt1 || h->bDescriptorType == dt2)
> break;
> buffer += h->bLength;
> size -= h->bLength;
> ++n;
> }
> /* Store the number of descriptors skipped and return the
> * number of bytes skipped */
> if (num_skipped)
> *num_skipped = n;
> return buffer - buffer0;
> }
>
> This is called from multiple sites on chains of descriptors.
> We do have a check for overflowing the buffer in the while statement.
> However, there is no guarantee for make progress. If at some point
> in the chain we arrive at a descriptor of neither type we are looking
> for and a bLength of 0, size will remain constant and the loop
> will go on forever.
>
> AFAICT this is guarded nowhere outside the function against.
You didn't notice this code in usb_parse_configuration() (starting
around line 659):
header = (struct usb_descriptor_header *) buffer2;
if ((header->bLength > size2) || (header->bLength < 2)) {
dev_notice(ddev, "config %d has an invalid descriptor "
"of length %d, skipping remainder of the config\n",
cfgno, header->bLength);
break;
}
The inner parentheses in the "if" condition aren't necessary, but the
second half of the condition protects against zero-length descriptors.
> So how about the attached patch?
It's not necessary.
Alan Stern
prev parent reply other threads:[~2024-05-16 16:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-16 13:48 revisiting the issue of hardening the USB enumeration parser Oliver Neukum
2024-05-16 16:58 ` Alan Stern [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=549323ac-e550-4921-a770-e0961b3b9151@rowland.harvard.edu \
--to=stern@rowland.harvard.edu \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=oneukum@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox