From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johan Hovold <johan@kernel.org>,
Alan Stern <stern@rowland.harvard.edu>
Subject: [PATCH 4.9 90/91] USB: core: fix check for duplicate endpoints
Date: Sat, 11 Jan 2020 10:50:23 +0100 [thread overview]
Message-ID: <20200111094913.478733512@linuxfoundation.org> (raw)
In-Reply-To: <20200111094844.748507863@linuxfoundation.org>
From: Johan Hovold <johan@kernel.org>
commit 3e4f8e21c4f27bcf30a48486b9dcc269512b79ff upstream.
Amend the endpoint-descriptor sanity checks to detect all duplicate
endpoint addresses in a configuration.
Commit 0a8fd1346254 ("USB: fix problems with duplicate endpoint
addresses") added a check for duplicate endpoint addresses within a
single alternate setting, but did not look for duplicate addresses in
other interfaces.
The current check would also not detect all duplicate addresses when one
endpoint is as a (bi-directional) control endpoint.
This specifically avoids overwriting the endpoint entries in struct
usb_device when enabling a duplicate endpoint, something which could
potentially lead to crashes or leaks, for example, when endpoints are
later disabled.
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20191219161016.6695-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 70 ++++++++++++++++++++++++++++++++++++++--------
1 file changed, 58 insertions(+), 12 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -198,9 +198,58 @@ static const unsigned short super_speed_
[USB_ENDPOINT_XFER_INT] = 1024,
};
-static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
- int asnum, struct usb_host_interface *ifp, int num_ep,
- unsigned char *buffer, int size)
+static bool endpoint_is_duplicate(struct usb_endpoint_descriptor *e1,
+ struct usb_endpoint_descriptor *e2)
+{
+ if (e1->bEndpointAddress == e2->bEndpointAddress)
+ return true;
+
+ if (usb_endpoint_xfer_control(e1) || usb_endpoint_xfer_control(e2)) {
+ if (usb_endpoint_num(e1) == usb_endpoint_num(e2))
+ return true;
+ }
+
+ return false;
+}
+
+/*
+ * Check for duplicate endpoint addresses in other interfaces and in the
+ * altsetting currently being parsed.
+ */
+static bool config_endpoint_is_duplicate(struct usb_host_config *config,
+ int inum, int asnum, struct usb_endpoint_descriptor *d)
+{
+ struct usb_endpoint_descriptor *epd;
+ struct usb_interface_cache *intfc;
+ struct usb_host_interface *alt;
+ int i, j, k;
+
+ for (i = 0; i < config->desc.bNumInterfaces; ++i) {
+ intfc = config->intf_cache[i];
+
+ for (j = 0; j < intfc->num_altsetting; ++j) {
+ alt = &intfc->altsetting[j];
+
+ if (alt->desc.bInterfaceNumber == inum &&
+ alt->desc.bAlternateSetting != asnum)
+ continue;
+
+ for (k = 0; k < alt->desc.bNumEndpoints; ++k) {
+ epd = &alt->endpoint[k].desc;
+
+ if (endpoint_is_duplicate(epd, d))
+ return true;
+ }
+ }
+ }
+
+ return false;
+}
+
+static int usb_parse_endpoint(struct device *ddev, int cfgno,
+ struct usb_host_config *config, int inum, int asnum,
+ struct usb_host_interface *ifp, int num_ep,
+ unsigned char *buffer, int size)
{
unsigned char *buffer0 = buffer;
struct usb_endpoint_descriptor *d;
@@ -237,13 +286,10 @@ static int usb_parse_endpoint(struct dev
goto skip_to_next_endpoint_or_interface_descriptor;
/* Check for duplicate endpoint addresses */
- for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
- if (ifp->endpoint[i].desc.bEndpointAddress ==
- d->bEndpointAddress) {
- dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
- cfgno, inum, asnum, d->bEndpointAddress);
- goto skip_to_next_endpoint_or_interface_descriptor;
- }
+ if (config_endpoint_is_duplicate(config, inum, asnum, d)) {
+ dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
+ cfgno, inum, asnum, d->bEndpointAddress);
+ goto skip_to_next_endpoint_or_interface_descriptor;
}
endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
@@ -517,8 +563,8 @@ static int usb_parse_interface(struct de
if (((struct usb_descriptor_header *) buffer)->bDescriptorType
== USB_DT_INTERFACE)
break;
- retval = usb_parse_endpoint(ddev, cfgno, inum, asnum, alt,
- num_ep, buffer, size);
+ retval = usb_parse_endpoint(ddev, cfgno, config, inum, asnum,
+ alt, num_ep, buffer, size);
if (retval < 0)
return retval;
++n;
next prev parent reply other threads:[~2020-01-11 10:06 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-11 9:48 [PATCH 4.9 00/91] 4.9.209-stable review Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 01/91] PM / devfreq: Dont fail devfreq_dev_release if not in list Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 02/91] RDMA/cma: add missed unregister_pernet_subsys in init failure Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 03/91] scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 04/91] scsi: qla2xxx: Dont call qlt_async_event twice Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 05/91] scsi: iscsi: qla4xxx: fix double free in probe Greg Kroah-Hartman
2020-01-11 9:48 ` [PATCH 4.9 06/91] scsi: libsas: stop discovering if oob mode is disconnected Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 07/91] usb: gadget: fix wrong endpoint desc Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 08/91] md: raid1: check rdev before reference in raid1_sync_request func Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 09/91] s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 10/91] s390/cpum_sf: Avoid SBD overflow condition in irq handler Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 11/91] IB/mlx4: Follow mirror sequence of device add during device removal Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 12/91] xen-blkback: prevent premature module unload Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 13/91] xen/balloon: fix ballooned page accounting without hotplug enabled Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 14/91] PM / hibernate: memory_bm_find_bit(): Tighten node optimisation Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 15/91] xfs: fix mount failure crash on invalid iclog memory access Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 16/91] taskstats: fix data-race Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 17/91] drm: limit to INT_MAX in create_blob ioctl Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 18/91] Revert "perf report: Add warning when libunwind not compiled in" Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 19/91] ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 20/91] MIPS: Avoid VDSO ABI breakage due to global register variable Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 21/91] mm/zsmalloc.c: fix the migrated zspage statistics Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 22/91] memcg: account security cred as well to kmemcg Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 23/91] locks: print unsigned ino in /proc/locks Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 24/91] dmaengine: Fix access to uninitialized dma_slave_caps Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 25/91] compat_ioctl: block: handle Persistent Reservations Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 26/91] ata: libahci_platform: Export again ahci_platform_<en/dis>able_phys() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 27/91] ata: ahci_brcm: Allow optional reset controller to be used Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 28/91] ata: ahci_brcm: Fix AHCI resources management Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 29/91] gpiolib: fix up emulated open drain outputs Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 30/91] tracing: Have the histogram compare functions convert to u64 first Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 31/91] ALSA: cs4236: fix error return comparison of an unsigned integer Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 32/91] ftrace: Avoid potential division by zero in function profiler Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 33/91] arm64: Revert support for execute-only user mappings Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 34/91] PM / devfreq: Check NULL governor in available_governors_show Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 35/91] nfsd4: fix up replay_matches_cache() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 36/91] xfs: dont check for AG deadlock for realtime files in bunmapi Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 37/91] Bluetooth: btusb: fix PM leak in error case of setup Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 38/91] Bluetooth: delete a stray unlock Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 39/91] Bluetooth: Fix memory leak in hci_connect_le_scan Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 40/91] media: flexcop-usb: ensure -EIO is returned on error condition Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 41/91] regulator: ab8500: Remove AB8505 USB regulator Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 42/91] media: usb: fix memory leak in af9005_identify_state Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 43/91] tty: serial: msm_serial: Fix lockup for sysrq and oops Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 44/91] fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 45/91] drm/mst: Fix MST sideband up-reply failure handling Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 46/91] powerpc/pseries/hvconsole: Fix stack overread via udbg Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 47/91] coresight: tmc-etf: Do not call smp_processor_id from preemptible Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 48/91] coresight: etb10: " Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 49/91] rxrpc: Fix possible NULL pointer access in ICMP handling Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 50/91] ath9k_htc: Modify byte order for an error message Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 51/91] ath9k_htc: Discard undersized packets Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 52/91] net: add annotations on hh->hh_len lockless accesses Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 53/91] s390/smp: fix physical to logical CPU map for SMT Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 54/91] xen/blkback: Avoid unmapping unmapped grant pages Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 55/91] locking/x86: Remove the unused atomic_inc_short() methd Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 56/91] pstore/ram: Write new dumps to start of recycled zones Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 57/91] locking/spinlock/debug: Fix various data races Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 58/91] netfilter: ctnetlink: netns exit must wait for callbacks Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 59/91] efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 60/91] efi/gop: Return EFI_SUCCESS if a usable GOP was found Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 61/91] efi/gop: Fix memory leak in __gop_query32/64() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 62/91] ARM: vexpress: Set-up shared OPP table instead of individual for each CPU Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 63/91] netfilter: uapi: Avoid undefined left-shift in xt_sctp.h Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 64/91] spi: spi-cavium-thunderx: Add missing pci_release_regions() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 65/91] ARM: dts: am437x-gp/epos-evm: fix panel compatible Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.9 66/91] samples: bpf: Replace symbol compare of trace_event Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 67/91] powerpc: Ensure that swiotlb buffer is allocated from low memory Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 68/91] bnx2x: Do not handle requests from VFs after parity Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 69/91] bnx2x: Fix logic to get total no. of PFs per engine Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 70/91] net: usb: lan78xx: Fix error message format specifier Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 71/91] rfkill: Fix incorrect check to avoid NULL pointer dereference Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 72/91] ASoC: wm8962: fix lambda value Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 73/91] regulator: rn5t618: fix module aliases Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 74/91] kconfig: dont crash on NULL expressions in expr_eq() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 75/91] perf/x86/intel: Fix PT PMI handling Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 76/91] net: stmmac: RX buffer size must be 16 byte aligned Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 77/91] block: fix memleak when __blk_rq_map_user_iov() is failed Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 78/91] parisc: Fix compiler warnings in debug_core.c Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 79/91] llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 80/91] macvlan: do not assume mac_header is set in macvlan_broadcast() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 81/91] net: stmmac: dwmac-sunxi: Allow all RGMII modes Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 82/91] net: usb: lan78xx: fix possible skb leak Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 83/91] pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 84/91] sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 85/91] tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 86/91] vxlan: fix tos value before xmit Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 87/91] vlan: vlan_changelink() should propagate errors Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 88/91] net: sch_prio: When ungrafting, replace with FIFO Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.9 89/91] vlan: fix memory leak in vlan_dev_set_egress_priority Greg Kroah-Hartman
2020-01-11 9:50 ` Greg Kroah-Hartman [this message]
2020-01-11 9:50 ` [PATCH 4.9 91/91] USB: serial: option: add Telit ME910G1 0x110a composition Greg Kroah-Hartman
2020-01-11 15:44 ` [PATCH 4.9 00/91] 4.9.209-stable review Guenter Roeck
2020-01-11 17:51 ` Greg Kroah-Hartman
2020-01-11 20:09 ` Guenter Roeck
2020-01-12 4:55 ` Naresh Kamboju
2020-01-13 15:47 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200111094913.478733512@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).