From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail-sn1nam02on0125.outbound.protection.outlook.com ([104.47.36.125]:45242
        "EHLO NAM02-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1032269AbeCAPbe (ORCPT <rfc822;stable@vger.kernel.org>);
        Thu, 1 Mar 2018 10:31:34 -0500
From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "stable-commits@vger.kernel.org" <stable-commits@vger.kernel.org>
CC: Shuah Khan <shuahkh@osg.samsung.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [added to the 4.1 stable tree] usbip: fix stub_rx: get_pipe() to
 validate endpoint number
Date: Thu, 1 Mar 2018 15:24:55 +0000
Message-ID: <20180301152116.1486-232-alexander.levin@microsoft.com>
References: <20180301152116.1486-1-alexander.levin@microsoft.com>
In-Reply-To: <20180301152116.1486-1-alexander.levin@microsoft.com>
Content-Language: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Shuah Khan <shuahkh@osg.samsung.com>

This patch has been added to the 4.1 stable tree. If you have any
objections, please let us know.

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[ Upstream commit 635f545a7e8be7596b9b2b6a43cab6bbd5a88e43 ]

get_pipe() routine doesn't validate the input endpoint number
and uses to reference ep_in and ep_out arrays. Invalid endpoint
number can trigger BUG(). Range check the epnum and returning
error instead of calling BUG().

Change caller stub_recv_cmd_submit() to handle the get_pipe()
error return.

Reported-by: Secunia Research <vuln@secunia.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 drivers/usb/usbip/stub_rx.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c
index 7de54a66044f..e617c90661b4 100644
--- a/drivers/usb/usbip/stub_rx.c
+++ b/drivers/usb/usbip/stub_rx.c
@@ -344,15 +344,15 @@ static int get_pipe(struct stub_device *sdev, int epn=
um, int dir)
 	struct usb_host_endpoint *ep;
 	struct usb_endpoint_descriptor *epd =3D NULL;
=20
+	if (epnum < 0 || epnum > 15)
+		goto err_ret;
+
 	if (dir =3D=3D USBIP_DIR_IN)
 		ep =3D udev->ep_in[epnum & 0x7f];
 	else
 		ep =3D udev->ep_out[epnum & 0x7f];
-	if (!ep) {
-		dev_err(&sdev->interface->dev, "no such endpoint?, %d\n",
-			epnum);
-		BUG();
-	}
+	if (!ep)
+		goto err_ret;
=20
 	epd =3D &ep->desc;
 	if (usb_endpoint_xfer_control(epd)) {
@@ -383,9 +383,10 @@ static int get_pipe(struct stub_device *sdev, int epnu=
m, int dir)
 			return usb_rcvisocpipe(udev, epnum);
 	}
=20
+err_ret:
 	/* NOT REACHED */
-	dev_err(&sdev->interface->dev, "get pipe, epnum %d\n", epnum);
-	return 0;
+	dev_err(&sdev->udev->dev, "get pipe() invalid epnum %d\n", epnum);
+	return -1;
 }
=20
 static void masking_bogus_flags(struct urb *urb)
@@ -451,6 +452,9 @@ static void stub_recv_cmd_submit(struct stub_device *sd=
ev,
 	struct usb_device *udev =3D sdev->udev;
 	int pipe =3D get_pipe(sdev, pdu->base.ep, pdu->base.direction);
=20
+	if (pipe =3D=3D -1)
+		return;
+
 	priv =3D stub_priv_alloc(sdev, pdu);
 	if (!priv)
 		return;
--=20
2.14.1