Patch "USB: fix out-of-bounds in usb_set_configuration" has been added to the 3.18-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "USB: fix out-of-bounds in usb_set_configuration" has been added to the 3.18-stable tree
@ 2017-10-09 12:03 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-10-09 12:03 UTC (permalink / raw)
  To: gregkh, andreyknvl; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    USB: fix out-of-bounds in usb_set_configuration

to the 3.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-fix-out-of-bounds-in-usb_set_configuration.patch
and it can be found in the queue-3.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 19 Sep 2017 15:07:17 +0200
Subject: USB: fix out-of-bounds in usb_set_configuration

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb upstream.

Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
association descriptor.  He writes:
	It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
	descriptor. It's only checked that the size is >= 2 in
	usb_parse_configuration(), so find_iad() might do out-of-bounds access
	to intf_assoc->bInterfaceCount.

And he's right, we don't check for crazy descriptors of this type very well, so
resolve this problem.  Yet another issue found by syzkaller...

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/config.c    |   14 +++++++++++---
 include/uapi/linux/usb/ch9.h |    1 +
 2 files changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -538,15 +538,23 @@ static int usb_parse_configuration(struc
 
 		} else if (header->bDescriptorType ==
 				USB_DT_INTERFACE_ASSOCIATION) {
+			struct usb_interface_assoc_descriptor *d;
+
+			d = (struct usb_interface_assoc_descriptor *)header;
+			if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) {
+				dev_warn(ddev,
+					 "config %d has an invalid interface association descriptor of length %d, skipping\n",
+					 cfgno, d->bLength);
+				continue;
+			}
+
 			if (iad_num == USB_MAXIADS) {
 				dev_warn(ddev, "found more Interface "
 					       "Association Descriptors "
 					       "than allocated for in "
 					       "configuration %d\n", cfgno);
 			} else {
-				config->intf_assoc[iad_num] =
-					(struct usb_interface_assoc_descriptor
-					*)header;
+				config->intf_assoc[iad_num] = d;
 				iad_num++;
 			}
 
--- a/include/uapi/linux/usb/ch9.h
+++ b/include/uapi/linux/usb/ch9.h
@@ -705,6 +705,7 @@ struct usb_interface_assoc_descriptor {
 	__u8  iFunction;
 } __attribute__ ((packed));
 
+#define USB_DT_INTERFACE_ASSOCIATION_SIZE	8
 
 /*-------------------------------------------------------------------------*/
 


Patches currently in stable-queue which might be from gregkh@linuxfoundation.org are

queue-3.18/usb-fix-out-of-bounds-in-usb_set_configuration.patch
queue-3.18/xhci-fix-finding-correct-bus_state-structure-for-usb-3.1-hosts.patch
queue-3.18/usb-uas-fix-bug-in-handling-of-alternate-settings.patch
queue-3.18/alsa-usb-audio-check-out-of-bounds-access-by-corrupted-buffer-descriptor.patch
queue-3.18/usb-increase-quirk-delay-for-usb-devices.patch
queue-3.18/usb-dummy-hcd-fix-infinite-loop-resubmission-bug.patch
queue-3.18/usb-pci-quirks.c-corrected-timeout-values-used-in-handshake.patch
queue-3.18/usb-storage-unusual_devs-entry-to-fix-write-access-regression-for-seagate-external-drives.patch
queue-3.18/usb-renesas_usbhs-fix-usbhsf_fifo_clear-for-rx-direction.patch
queue-3.18/usb-renesas_usbhs-fix-the-bclr-setting-condition-for-non-dcp-pipe.patch
queue-3.18/usb-gadgetfs-fix-copy_to_user-while-holding-spinlock.patch
queue-3.18/usb-devio-don-t-corrupt-user-memory.patch
queue-3.18/usb-gadget-inode.c-fix-unbalanced-spin_lock-in-ep0_write.patch
queue-3.18/usb-gadgetfs-fix-crash-caused-by-inadequate-synchronization.patch
queue-3.18/usb-dummy-hcd-fix-connection-failures-wrong-speed.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2017-10-09 12:04 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-09 12:03 Patch "USB: fix out-of-bounds in usb_set_configuration" has been added to the 3.18-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).