[PATCH] usb: don't trust report_size for buffer size

[PATCH] usb: don't trust report_size for buffer size

[Kees Cook]

If the iowarrior devices in this case statement support more than 8 bytes
per report, it is possible to write past the end of a kernel heap allocation.
This will probably never be possible, but change the allocation to be more
defensive anyway.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
---
 drivers/usb/misc/iowarrior.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index bc88c79..8ed8d05 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
 	case USB_DEVICE_ID_CODEMERCS_IOWPV2:
 	case USB_DEVICE_ID_CODEMERCS_IOW40:
 		/* IOW24 and IOW40 use a synchronous call */
-		buf = kmalloc(8, GFP_KERNEL);	/* 8 bytes are enough for both products */
+		buf = kmalloc(count, GFP_KERNEL);
 		if (!buf) {
 			retval = -ENOMEM;
 			goto exit;
-- 
1.7.1

-- 
Kees Cook
Ubuntu Security Team

Re: [PATCH] usb: don't trust report_size for buffer size

[Németh Márton]

Kees Cook wrote:
> If the iowarrior devices in this case statement support more than 8 bytes
> per report, it is possible to write past the end of a kernel heap allocation.
> This will probably never be possible, but change the allocation to be more
> defensive anyway.

I think this might be triggered from user space, indeed. The iowarrior_class.fops->write
points directly to the function iowarrior_write(). The iowarrior_class itself
is passed to the function usb_register_dev(), which means that the write() system
call to the character device will result in calling the iowarrior_write() function.

> Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Márton Németh <nm127@freemail.hu>

There might be similar problem also in the case USB_DEVICE_ID_CODEMERCS_IOW56. There
is buf is allocated with usb_alloc_coherent() to the size dev->report_size. However,
some lines later the copy_from_user() function tries to copy "count" number of
bytes to the dev->report_size allocated buffer. Unfortunately I don't have such
devices to try the driver so these are just coming from "static analysis".

> ---
>  drivers/usb/misc/iowarrior.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
> index bc88c79..8ed8d05 100644
> --- a/drivers/usb/misc/iowarrior.c
> +++ b/drivers/usb/misc/iowarrior.c
> @@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
>  	case USB_DEVICE_ID_CODEMERCS_IOWPV2:
>  	case USB_DEVICE_ID_CODEMERCS_IOW40:
>  		/* IOW24 and IOW40 use a synchronous call */
> -		buf = kmalloc(8, GFP_KERNEL);	/* 8 bytes are enough for both products */
> +		buf = kmalloc(count, GFP_KERNEL);
>  		if (!buf) {
>  			retval = -ENOMEM;
>  			goto exit;

Re: [PATCH] usb: don't trust report_size for buffer size

[Kees Cook]

Hi Németh,

On Mon, Oct 11, 2010 at 08:54:04PM +0200, Németh Márton wrote:
> There might be similar problem also in the case USB_DEVICE_ID_CODEMERCS_IOW56. There
> is buf is allocated with usb_alloc_coherent() to the size dev->report_size. However,
> some lines later the copy_from_user() function tries to copy "count" number of
> bytes to the dev->report_size allocated buffer. Unfortunately I don't have such
> devices to try the driver so these are just coming from "static analysis".

I don't think the USB_DEVICE_ID_CODEMERCS_IOW56 path is a problem:

        if (count != dev->report_size) {
                retval = -EINVAL;
                goto exit;
        }
        switch (dev->product_id) {
...
        case USB_DEVICE_ID_CODEMERCS_IOW56:
...
                buf = usb_alloc_coherent(dev->udev, dev->report_size,
                                         GFP_KERNEL, &int_out_urb->transfer_dma);
...
                if (copy_from_user(buf, user_buffer, count)) {

i.e. count must == dev->report_size, and the buf is allocated with size
dev->report_size even though copy_from_user uses "count".

-Kees

-- 
Kees Cook
Ubuntu Security Team

Re: [PATCH] usb: don't trust report_size for buffer size

[Németh Márton]

Kees Cook wrote:
> Hi Németh,
> 
> On Mon, Oct 11, 2010 at 08:54:04PM +0200, Németh Márton wrote:
>> There might be similar problem also in the case USB_DEVICE_ID_CODEMERCS_IOW56. There
>> is buf is allocated with usb_alloc_coherent() to the size dev->report_size. However,
>> some lines later the copy_from_user() function tries to copy "count" number of
>> bytes to the dev->report_size allocated buffer. Unfortunately I don't have such
>> devices to try the driver so these are just coming from "static analysis".
> 
> I don't think the USB_DEVICE_ID_CODEMERCS_IOW56 path is a problem:
> 
>         if (count != dev->report_size) {
>                 retval = -EINVAL;
>                 goto exit;
>         }

You are right, I missed this condition.

>         switch (dev->product_id) {
> ...
>         case USB_DEVICE_ID_CODEMERCS_IOW56:
> ...
>                 buf = usb_alloc_coherent(dev->udev, dev->report_size,
>                                          GFP_KERNEL, &int_out_urb->transfer_dma);
> ...
>                 if (copy_from_user(buf, user_buffer, count)) {
> 
> i.e. count must == dev->report_size, and the buf is allocated with size
> dev->report_size even though copy_from_user uses "count".
> 
> -Kees
>