* Patch "USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()" has been added to the 4.13-stable tree
@ 2017-10-23 12:56 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-10-23 12:56 UTC (permalink / raw)
To: stern, andreyknvl, gregkh; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
to the 4.13-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
usb-core-fix-out-of-bounds-access-bug-in-usb_get_bos_descriptor.patch
and it can be found in the queue-4.13 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 1c0edc3633b56000e18d82fc241e3995ca18a69e Mon Sep 17 00:00:00 2001
From: Alan Stern <stern@rowland.harvard.edu>
Date: Wed, 18 Oct 2017 12:49:38 -0400
Subject: USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
From: Alan Stern <stern@rowland.harvard.edu>
commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream.
Andrey used the syzkaller fuzzer to find an out-of-bounds memory
access in usb_get_bos_descriptor(). The code wasn't checking that the
next usb_dev_cap_header structure could fit into the remaining buffer
space.
This patch fixes the error and also reduces the bNumDeviceCaps field
in the header to match the actual number of capabilities found, in
cases where there are fewer than expected.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -960,10 +960,12 @@ int usb_get_bos_descriptor(struct usb_de
for (i = 0; i < num; i++) {
buffer += length;
cap = (struct usb_dev_cap_header *)buffer;
- length = cap->bLength;
- if (total_len < length)
+ if (total_len < sizeof(*cap) || total_len < cap->bLength) {
+ dev->bos->desc->bNumDeviceCaps = i;
break;
+ }
+ length = cap->bLength;
total_len -= length;
if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
Patches currently in stable-queue which might be from stern@rowland.harvard.edu are
queue-4.13/usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch
queue-4.13/usb-hub-allow-reset-retry-for-usb2-devices-on-connect-bounce.patch
queue-4.13/usb-core-fix-out-of-bounds-access-bug-in-usb_get_bos_descriptor.patch
queue-4.13/usb-quirks-add-quirk-for-worlde-mini-midi-keyboard.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-10-23 12:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-23 12:56 Patch "USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()" has been added to the 4.13-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).