From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
"Alan Stern" <stern@rowland.harvard.edu>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>
Subject: [PATCH 3.16 23/72] USB: usbcore: Fix slab-out-of-bounds bug during device reset
Date: Sun, 08 Dec 2019 13:53:07 +0000 [thread overview]
Message-ID: <lsq.1575813165.536179437@decadent.org.uk> (raw)
In-Reply-To: <lsq.1575813164.154362148@decadent.org.uk>
3.16.79-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 3dd550a2d36596a1b0ee7955da3b611c031d3873 upstream.
The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core:
BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746
CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:612
memcmp+0xa6/0xb0 lib/string.c:904
memcmp include/linux/string.h:400 [inline]
descriptors_changed drivers/usb/core/hub.c:5579 [inline]
usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729
usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898
rt2x00usb_probe+0x53/0x7af
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806
The error occurs when the descriptors_changed() routine (called during
a device reset) attempts to compare the old and new BOS and capability
descriptors. The length it uses for the comparison is the
wTotalLength value stored in BOS descriptor, but this value is not
necessarily the same as the length actually allocated for the
descriptors. If it is larger the routine will call memcmp() with a
length that is too big, thus reading beyond the end of the allocated
region and leading to this fault.
The kernel reads the BOS descriptor twice: first to get the total
length of all the capability descriptors, and second to read it along
with all those other descriptors. A malicious (or very faulty) device
may send different values for the BOS descriptor fields each time.
The memory area will be allocated using the wTotalLength value read
the first time, but stored within it will be the value read the second
time.
To prevent this possibility from causing any errors, this patch
modifies the BOS descriptor after it has been read the second time:
It sets the wTotalLength field to the actual length of the descriptors
that were read in and validated. Then the memcpy() call, or any other
code using these descriptors, will be able to rely on wTotalLength
being valid.
Reported-and-tested-by: syzbot+35f4d916c623118d576e@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1909041154260.1722-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/config.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -886,7 +886,7 @@ int usb_get_bos_descriptor(struct usb_de
struct device *ddev = &dev->dev;
struct usb_bos_descriptor *bos;
struct usb_dev_cap_header *cap;
- unsigned char *buffer;
+ unsigned char *buffer, *buffer0;
int length, total_len, num, i;
__u8 cap_type;
int ret;
@@ -931,10 +931,12 @@ int usb_get_bos_descriptor(struct usb_de
ret = -ENOMSG;
goto err;
}
+
+ buffer0 = buffer;
total_len -= length;
+ buffer += length;
for (i = 0; i < num; i++) {
- buffer += length;
cap = (struct usb_dev_cap_header *)buffer;
if (total_len < sizeof(*cap) || total_len < cap->bLength) {
@@ -948,8 +950,6 @@ int usb_get_bos_descriptor(struct usb_de
break;
}
- total_len -= length;
-
if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
dev_warn(ddev, "descriptor type invalid, skip\n");
continue;
@@ -974,7 +974,11 @@ int usb_get_bos_descriptor(struct usb_de
default:
break;
}
+
+ total_len -= length;
+ buffer += length;
}
+ dev->bos->desc->wTotalLength = cpu_to_le16(buffer - buffer0);
return 0;
next prev parent reply other threads:[~2019-12-08 13:58 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-08 13:52 [PATCH 3.16 00/72] 3.16.79-rc1 review Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 01/72] ASoC: Define a set of DAPM pre/post-up events Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 02/72] ASoC: sgtl5000: fix VAG power up timing Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 03/72] ASoC: sgtl5000: Improve VAG power and mute control Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 04/72] leds: leds-lp5562 allow firmware files up to the maximum length Ben Hutchings
2019-12-14 8:37 ` Pavel Machek
2019-12-14 18:44 ` Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 05/72] media: dib0700: fix link error for dibx000_i2c_set_speed Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 06/72] fbdev: ssd1307fb: return proper error code if write command fails Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 07/72] video: ssd1307fb: Start page range at page_offset Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 08/72] libertas_tf: Use correct channel range in lbtf_geo_init Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 09/72] x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 10/72] video: of: display_timing: Add of_node_put() in of_get_display_timing() Ben Hutchings
2019-12-09 21:19 ` Doug Anderson
2019-12-10 13:27 ` Thierry Reding
2019-12-10 15:52 ` Ben Hutchings
2019-12-10 15:31 ` Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 11/72] ALSA: aoa: onyx: always initialize register read value Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 12/72] efi: cper: print AER info of PCIe fatal error Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 13/72] ext4: set error return correctly when ext4_htree_store_dirent fails Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 14/72] ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 15/72] media: tm6000: double free if usb disconnect while streaming Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 16/72] powerpc/rtas: use device model APIs and serialization during LPM Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 17/72] can: mcp251x: mcp251x_hw_reset(): allow more time after a reset Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 18/72] HID: hidraw: Fix invalid read in hidraw_ioctl Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 19/72] ext4: fix warning inside ext4_convert_unwritten_extents_endio Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 20/72] media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 21/72] mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 22/72] /dev/mem: Bail out upon SIGKILL Ben Hutchings
2019-12-08 13:53 ` Ben Hutchings [this message]
2019-12-08 13:53 ` [PATCH 3.16 24/72] Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 25/72] smack: use GFP_NOFS while holding inode_smack::smk_lock Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 26/72] HID: prodikeys: Fix general protection fault during probe Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 27/72] parisc: Disable HP HSC-PCI Cards to prevent kernel crash Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 28/72] Btrfs: fix use-after-free when using the tree modification log Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 29/72] btrfs: Relinquish CPUs in btrfs_compare_trees Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 30/72] KVM: mmio: cleanup kvm_set_mmio_spte_mask Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 31/72] KVM: x86: Manually calculate reserved bits when loading PDPTRS Ben Hutchings
2019-12-09 15:49 ` Sean Christopherson
2019-12-10 16:16 ` Ben Hutchings
2019-12-10 16:27 ` Sean Christopherson
2019-12-08 13:53 ` [PATCH 3.16 32/72] cfg80211: Purge frame registrations on iftype change Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 33/72] configfs: fix a deadlock in configfs_symlink() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 34/72] powerpc/pseries: correctly track irq state in default idle Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 35/72] hypfs: Fix error number left in struct pointer member Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 36/72] hwrng: core - don't wait on add_early_randomness() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 37/72] ALSA: hda - Add laptop imic fixup for ASUS M9V laptop Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 38/72] sch_netem: fix a divide by zero in tabledist() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 39/72] net/phy: fix DP83865 10 Mbps HDX loopback disable function Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 40/72] s390/topology: avoid firing events before kobjs are created Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 41/72] s390/cio: avoid calling strlen on null pointer Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 42/72] s390/cio: exclude subchannels with no parent from pseudo check Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 43/72] thermal: Fix use-after-free when unregistering thermal zone device Ben Hutchings
2019-12-08 16:22 ` Ido Schimmel
2019-12-08 18:09 ` Ben Hutchings
2019-12-09 1:40 ` Zhang Rui
2019-12-08 13:53 ` [PATCH 3.16 44/72] CIFS: fix max ea value size Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 45/72] fuse: fix missing unlock_page in fuse_writepage() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 46/72] CIFS: Fix oplock handling for SMB 2.1+ protocols Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 47/72] i2c: riic: Clear NACK in tend isr Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 48/72] ANDROID: binder: remove waitqueue when thread exits Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 49/72] media: b2c2-flexcop-usb: add sanity checking Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 50/72] cfg80211: add and use strongly typed element iteration macros Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 51/72] nl80211: validate beacon head Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 52/72] wimax: i2400: fix memory leak Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 53/72] wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 54/72] can: gs_usb: gs_can_open(): prevent memory leak Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 55/72] mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 56/72] mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 57/72] crypto: user - Fix crypto_alg_match race Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 58/72] crypto: user - fix memory leak in crypto_report Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 59/72] scsi: bfa: release allocated memory in case of error Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 60/72] appletalk: Fix potential NULL pointer dereference in unregister_snap_client Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 61/72] appletalk: Set error code if register_snap_client failed Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 62/72] KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 63/72] USB: adutux: remove redundant variable minor Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 64/72] USB: adutux: fix use-after-free on disconnect Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 65/72] Input: ff-memless - kill timer in destroy() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 66/72] HID: hiddev: do cleanup in failure of opening a device Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 67/72] HID: hiddev: avoid opening a disconnected device Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 68/72] usb: iowarrior: fix deadlock on disconnect Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 69/72] USB: iowarrior: fix use-after-free " Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 70/72] HID: Fix assumption that devices have inputs Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 71/72] media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 72/72] can: peak_usb: fix slab info leak Ben Hutchings
2019-12-08 14:49 ` [PATCH 3.16 00/72] 3.16.79-rc1 review Guenter Roeck
2019-12-08 15:09 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1575813165.536179437@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=kda@linux-powerpc.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).