From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
roswest <roswest@cisco.com>
Subject: [PATCH 3.14 11/35] USB: validate wMaxPacketValue entries in endpoint descriptors
Date: Mon, 5 Sep 2016 18:43:12 +0200 [thread overview]
Message-ID: <20160905163959.160279362@linuxfoundation.org> (raw)
In-Reply-To: <20160905163958.687259537@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit aed9d65ac3278d4febd8665bd7db59ef53e825fe upstream.
Erroneous or malicious endpoint descriptors may have non-zero bits in
reserved positions, or out-of-bounds values. This patch helps prevent
these from causing problems by bounds-checking the wMaxPacketValue
entries in endpoint descriptors and capping the values at the maximum
allowed.
This issue was first discovered and tests were conducted by Jake Lamberson
<jake.lamberson1@gmail.com>, an intern working for Rosie Hall.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: roswest <roswest@cisco.com>
Tested-by: roswest <roswest@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 66 +++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 63 insertions(+), 3 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -143,6 +143,31 @@ static void usb_parse_ss_endpoint_compan
}
}
+static const unsigned short low_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 8,
+ [USB_ENDPOINT_XFER_ISOC] = 0,
+ [USB_ENDPOINT_XFER_BULK] = 0,
+ [USB_ENDPOINT_XFER_INT] = 8,
+};
+static const unsigned short full_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1023,
+ [USB_ENDPOINT_XFER_BULK] = 64,
+ [USB_ENDPOINT_XFER_INT] = 64,
+};
+static const unsigned short high_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 512,
+ [USB_ENDPOINT_XFER_INT] = 1023,
+};
+static const unsigned short super_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 512,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 1024,
+ [USB_ENDPOINT_XFER_INT] = 1024,
+};
+
static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
int asnum, struct usb_host_interface *ifp, int num_ep,
unsigned char *buffer, int size)
@@ -151,6 +176,8 @@ static int usb_parse_endpoint(struct dev
struct usb_endpoint_descriptor *d;
struct usb_host_endpoint *endpoint;
int n, i, j, retval;
+ unsigned int maxp;
+ const unsigned short *maxpacket_maxes;
d = (struct usb_endpoint_descriptor *) buffer;
buffer += d->bLength;
@@ -247,6 +274,42 @@ static int usb_parse_endpoint(struct dev
endpoint->desc.wMaxPacketSize = cpu_to_le16(8);
}
+ /* Validate the wMaxPacketSize field */
+ maxp = usb_endpoint_maxp(&endpoint->desc);
+
+ /* Find the highest legal maxpacket size for this endpoint */
+ i = 0; /* additional transactions per microframe */
+ switch (to_usb_device(ddev)->speed) {
+ case USB_SPEED_LOW:
+ maxpacket_maxes = low_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_FULL:
+ maxpacket_maxes = full_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_HIGH:
+ /* Bits 12..11 are allowed only for HS periodic endpoints */
+ if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) {
+ i = maxp & (BIT(12) | BIT(11));
+ maxp &= ~i;
+ }
+ /* fallthrough */
+ default:
+ maxpacket_maxes = high_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_SUPER:
+ case USB_SPEED_SUPER_PLUS:
+ maxpacket_maxes = super_speed_maxpacket_maxes;
+ break;
+ }
+ j = maxpacket_maxes[usb_endpoint_type(&endpoint->desc)];
+
+ if (maxp > j) {
+ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid maxpacket %d, setting to %d\n",
+ cfgno, inum, asnum, d->bEndpointAddress, maxp, j);
+ maxp = j;
+ endpoint->desc.wMaxPacketSize = cpu_to_le16(i | maxp);
+ }
+
/*
* Some buggy high speed devices have bulk endpoints using
* maxpacket sizes other than 512. High speed HCDs may not
@@ -254,9 +317,6 @@ static int usb_parse_endpoint(struct dev
*/
if (to_usb_device(ddev)->speed == USB_SPEED_HIGH
&& usb_endpoint_xfer_bulk(d)) {
- unsigned maxp;
-
- maxp = usb_endpoint_maxp(&endpoint->desc) & 0x07ff;
if (maxp != 512)
dev_warn(ddev, "config %d interface %d altsetting %d "
"bulk endpoint 0x%X has invalid maxpacket %d\n",
next prev parent reply other threads:[~2016-09-05 16:43 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160905164355uscas1p23be7d550cc36b000adafac040c654cce@uscas1p2.samsung.com>
2016-09-05 16:43 ` [PATCH 3.14 00/35] 3.14.78-stable review Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 01/35] x86/mm: Disable preemption during CR3 read+write Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 02/35] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 03/35] parisc: Fix order of EREFUSED define in errno.h Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 04/35] PCI: Support PCIe devices with short cfg_size Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 05/35] PCI: Add Netronome vendor and device IDs Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 06/35] PCI: Limit config space size for Netronome NFP6000 family Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 07/35] PCI: Add Netronome NFP4000 PF device ID Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 08/35] PCI: Limit config space size for Netronome NFP4000 Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 09/35] usb: dwc3: gadget: increment request->actual once Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 10/35] usb: define USB_SPEED_SUPER_PLUS speed for SuperSpeedPlus USB3.1 devices Greg Kroah-Hartman
2016-09-05 16:43 ` Greg Kroah-Hartman [this message]
2016-09-05 16:43 ` [PATCH 3.14 12/35] usb: xhci: Fix panic if disconnect Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 13/35] USB: serial: fix memleak in driver-registration error path Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 14/35] USB: serial: option: add D-Link DWM-156/A3 Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 15/35] USB: serial: option: add support for Telit LE920A4 Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 16/35] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 18/35] xhci: Make sure xhci handles USB_SPEED_SUPER_PLUS devices Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 19/35] EDAC: Increment correct counter in edac_inc_ue_error() Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 20/35] s390/dasd: fix hanging device after clear subchannel Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 21/35] mac80211: fix purging multicast PS buffer queue Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 22/35] aacraid: Check size values after double-fetch from user Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 23/35] cdc-acm: fix wrong pipe type on rx interrupt xfers Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 24/35] megaraid_sas: Fix probing cards without io port Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 25/35] gpio: Fix OF build problem on UM Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 26/35] fs/seq_file: fix out-of-bounds read Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 27/35] Input: tegra-kbc - fix inverted reset logic Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 28/35] Input: i8042 - break load dependency between atkbd/psmouse and i8042 Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 29/35] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 30/35] crypto: nx - off by one bug in nx_of_update_msc() Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 31/35] USB: fix typo in wMaxPacketSize validation Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 32/35] USB: serial: mos7720: fix non-atomic allocation in write path Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 33/35] USB: serial: mos7840: " Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 34/35] staging: comedi: daqboard2000: bug fix board type matching code Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 35/35] ACPI / sysfs: fix error code in get_status() Greg Kroah-Hartman
2016-09-06 17:02 ` [PATCH 3.14 00/35] 3.14.78-stable review Guenter Roeck
2016-09-06 18:03 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160905163959.160279362@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roswest@cisco.com \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).