From: Greg KH <greg@kroah.com>
To: Oliver Neukum <oneukum@suse.com>
Cc: linux-usb@vger.kernel.org
Subject: Re: [RFC]How else could a malicious device sabotage endpoints for usbnet
Date: Thu, 9 Dec 2021 16:47:18 +0100 [thread overview]
Message-ID: <YbIlBl8Ay1rIED8p@kroah.com> (raw)
In-Reply-To: <ad1ee829-401a-d051-1da8-f9e01caa7b85@suse.com>
On Thu, Dec 09, 2021 at 04:33:29PM +0100, Oliver Neukum wrote:
> Hi,
>
> I have checked for type, direction and number of endpoints.
> But I keep thinking that I have overlooked a way to make broken
> endpoint descriptors. Any suggestions?
>
> Regards
> Oliver
>
> >From 853e421630f82fb3b7005ad0b294c091a064ac39 Mon Sep 17 00:00:00 2001
> From: Oliver Neukum <oneukum@suse.com>
> Date: Thu, 18 Nov 2021 18:15:03 +0100
> Subject: [PATCH] usbnet: sanity check for endpoint types
>
> A malicious device can pretend to be a device with a known
> configuration of endpoints yet present endpoints of the wrong type
> or too few or none at all.
>
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> ---
> drivers/net/usb/usbnet.c | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
>
> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> index 9a6450f796dc..b1f93810a6f3 100644
> --- a/drivers/net/usb/usbnet.c
> +++ b/drivers/net/usb/usbnet.c
> @@ -91,6 +91,31 @@ static const char * const usbnet_event_names[] = {
> [EVENT_NO_IP_ALIGN] = "EVENT_NO_IP_ALIGN",
> };
>
> +bool usbnet_validate_endpoints(struct usbnet *dev, struct usb_interface *intf, const struct driver_info *info)
> +{
> + struct usb_host_interface *alt = intf->cur_altsetting;
> + struct usb_host_endpoint *e;
> + int num_endpoints = alt->desc.bNumEndpoints;
> +
> + if (info->in > num_endpoints)
> + return false;
> + e = alt->endpoint + info->in;
> + if (!e)
> + return false;
> + if (!usb_endpoint_is_bulk_in(&e->desc))
> + return false;
> +
> + if (info->out > num_endpoints)
> + return false;
> + e = alt->endpoint + info->out;
> + if (!e)
> + return false;
> + if (!usb_endpoint_is_bulk_out(&e->desc))
> + return false;
> +
> + return true;
Why not use usb_find_common_endpoints() and/or the other helper
functions instead? that's what they were created for.
thanks,
greg k-h
next prev parent reply other threads:[~2021-12-09 15:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-09 15:33 [RFC]How else could a malicious device sabotage endpoints for usbnet Oliver Neukum
2021-12-09 15:47 ` Greg KH [this message]
2021-12-15 14:47 ` Oliver Neukum
2021-12-15 14:57 ` Greg KH
2021-12-16 10:16 ` Oliver Neukum
2021-12-21 7:54 ` Greg KH
2021-12-21 8:36 ` Oliver Neukum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YbIlBl8Ay1rIED8p@kroah.com \
--to=greg@kroah.com \
--cc=linux-usb@vger.kernel.org \
--cc=oneukum@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox