]>
Commit | Line | Data |
---|---|---|
14e9555d GKH |
1 | From a03ff54460817c76105f81f3aa8ef655759ccc9a Mon Sep 17 00:00:00 2001 |
2 | From: Alan Stern <stern@rowland.harvard.edu> | |
3 | Date: Mon, 13 May 2019 13:14:29 -0400 | |
4 | Subject: USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor | |
5 | ||
6 | From: Alan Stern <stern@rowland.harvard.edu> | |
7 | ||
8 | commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream. | |
9 | ||
10 | The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the | |
11 | USB core, caused by a failure to check the actual size of a BOS | |
12 | descriptor. This patch adds a check to make sure the descriptor is at | |
13 | least as large as it is supposed to be, so that the code doesn't | |
14 | inadvertently access memory beyond the end of the allocated region | |
15 | when assigning to dev->bos->desc->bNumDeviceCaps later on. | |
16 | ||
17 | Signed-off-by: Alan Stern <stern@rowland.harvard.edu> | |
18 | Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com | |
19 | CC: <stable@vger.kernel.org> | |
20 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
21 | ||
22 | --- | |
23 | drivers/usb/core/config.c | 4 ++-- | |
24 | 1 file changed, 2 insertions(+), 2 deletions(-) | |
25 | ||
26 | --- a/drivers/usb/core/config.c | |
27 | +++ b/drivers/usb/core/config.c | |
28 | @@ -936,8 +936,8 @@ int usb_get_bos_descriptor(struct usb_de | |
29 | ||
30 | /* Get BOS descriptor */ | |
31 | ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE); | |
32 | - if (ret < USB_DT_BOS_SIZE) { | |
33 | - dev_err(ddev, "unable to get BOS descriptor\n"); | |
34 | + if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) { | |
35 | + dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n"); | |
36 | if (ret >= 0) | |
37 | ret = -ENOMSG; | |
38 | kfree(bos); |