From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail-wm0-f67.google.com ([74.125.82.67]:33550 "EHLO
        mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751432AbdEJOPm (ORCPT
        <rfc822;stable@vger.kernel.org>); Wed, 10 May 2017 10:15:42 -0400
Date: Wed, 10 May 2017 16:15:33 +0200
From: Johan Hovold <johan@kernel.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Johan Hovold <johan@kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Felipe Balbi <balbi@kernel.org>,
        Mathias Nyman <mathias.nyman@intel.com>,
        linux-usb@vger.kernel.org, stable <stable@vger.kernel.org>,
        John Youn <John.Youn@synopsys.com>
Subject: Re: [PATCH 3/6] USB: hub: fix SS hub-descriptor handling
Message-ID: <20170510141533.GF30445@localhost>
References: <20170510125056.29155-4-johan@kernel.org>
 <Pine.LNX.4.44L0.1705101001500.2061-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44L0.1705101001500.2061-100000@iolanthe.rowland.org>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Wed, May 10, 2017 at 10:04:32AM -0400, Alan Stern wrote:
> On Wed, 10 May 2017, Johan Hovold wrote:
> 
> > A SuperSpeed hub descriptor does not have any variable-length fields so
> > bail out when reading a short descriptor.
> 
> You mean: bail out when reading a descriptor that is not exactly the
> right length.  The existing code already bails out when it reads a
> short descriptor.

No, the current code happily accepts a 9-byte descriptor, while an SS
descriptor is always 12 bytes. And since we request 12 bytes for SS
hubs, the patch description is correct.

> > This avoids parsing and leaking two bytes of uninitialised slab data
> > through sysfs removable-attributes.
> > 
> > Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes")
> > Cc: stable <stable@vger.kernel.org>     # 2.6.39
> > Cc: John Youn <John.Youn@synopsys.com>
> > Signed-off-by: Johan Hovold <johan@kernel.org>
> > ---
> >  drivers/usb/core/hub.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
> > index 9dca59ef18b3..3ff1e9f89f2d 100644
> > --- a/drivers/usb/core/hub.c
> > +++ b/drivers/usb/core/hub.c
> > @@ -380,8 +380,12 @@ static int get_hub_descriptor(struct usb_device *hdev, void *data)
> >  			USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB,
> >  			dtype << 8, 0, data, size,
> >  			USB_CTRL_GET_TIMEOUT);
> > -		if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2))
> > +		if (hub_is_superspeed(hdev)) {
> > +			if (ret == size)
> > +				return ret;
> > +		} else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) {
> >  			return ret;
> > +		}
> >  	}
> >  	return -EINVAL;
> >  }

Thanks,
Johan