ACK/Cmnt: [PATCH] USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
Stefan Bader
stefan.bader at canonical.com
Mon Jul 23 13:16:49 UTC 2018
On 20.07.2018 15:59, Paolo Pisati wrote:
> From: Alan Stern <stern at rowland.harvard.edu>
>
> Andrey used the syzkaller fuzzer to find an out-of-bounds memory
> access in usb_get_bos_descriptor(). The code wasn't checking that the
> next usb_dev_cap_header structure could fit into the remaining buffer
> space.
>
> This patch fixes the error and also reduces the bNumDeviceCaps field
> in the header to match the actual number of capabilities found, in
> cases where there are fewer than expected.
>
> Reported-by: Andrey Konovalov <andreyknvl at google.com>
> Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
> Tested-by: Andrey Konovalov <andreyknvl at google.com>
> CC: <stable at vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> (cherry picked from commit 1c0edc3633b56000e18d82fc241e3995ca18a69e)
> Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
Needs CVE-2017-16535 added.
> drivers/usb/core/config.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 755d82f..4cf67fc 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -830,10 +830,12 @@ int usb_get_bos_descriptor(struct usb_device *dev)
> for (i = 0; i < num; i++) {
> buffer += length;
> cap = (struct usb_dev_cap_header *)buffer;
> - length = cap->bLength;
>
> - if (total_len < length)
> + if (total_len < sizeof(*cap) || total_len < cap->bLength) {
> + dev->bos->desc->bNumDeviceCaps = i;
> break;
> + }
> + length = cap->bLength;
> total_len -= length;
>
> if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180723/e4852e54/attachment.sig>
More information about the kernel-team
mailing list