[thirdparty/kernel/stable-queue.git] / releases / 4.13.6 / usb-fix-out-of-bounds-in-usb_set_configuration.patch

From bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 19 Sep 2017 15:07:17 +0200
Subject: USB: fix out-of-bounds in usb_set_configuration

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb upstream.

Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
association descriptor.  He writes:
	It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
	descriptor. It's only checked that the size is >= 2 in
	usb_parse_configuration(), so find_iad() might do out-of-bounds access
	to intf_assoc->bInterfaceCount.

And he's right, we don't check for crazy descriptors of this type very well, so
resolve this problem.  Yet another issue found by syzkaller...

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/config.c    |   14 +++++++++++---
 include/uapi/linux/usb/ch9.h |    1 +
 2 files changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -643,15 +643,23 @@ static int usb_parse_configuration(struc
 
 		} else if (header->bDescriptorType ==
 				USB_DT_INTERFACE_ASSOCIATION) {
+			struct usb_interface_assoc_descriptor *d;
+
+			d = (struct usb_interface_assoc_descriptor *)header;
+			if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) {
+				dev_warn(ddev,
+					 "config %d has an invalid interface association descriptor of length %d, skipping\n",
+					 cfgno, d->bLength);
+				continue;
+			}
+
 			if (iad_num == USB_MAXIADS) {
 				dev_warn(ddev, "found more Interface "
 					       "Association Descriptors "
 					       "than allocated for in "
 					       "configuration %d\n", cfgno);
 			} else {
-				config->intf_assoc[iad_num] =
-					(struct usb_interface_assoc_descriptor
-					*)header;
+				config->intf_assoc[iad_num] = d;
 				iad_num++;
 			}
 
--- a/include/uapi/linux/usb/ch9.h
+++ b/include/uapi/linux/usb/ch9.h
@@ -780,6 +780,7 @@ struct usb_interface_assoc_descriptor {
 	__u8  iFunction;
 } __attribute__ ((packed));
 
+#define USB_DT_INTERFACE_ASSOCIATION_SIZE	8
 
 /*-------------------------------------------------------------------------*/
Commit	Line	Data
b0bd2087 GKH	1	From bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb Mon Sep 17 00:00:00 2001
	2	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	3	Date: Tue, 19 Sep 2017 15:07:17 +0200
	4	Subject: USB: fix out-of-bounds in usb_set_configuration
	5
	6	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	7
	8	commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb upstream.
	9
	10	Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
	11	association descriptor. He writes:
	12	It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
	13	descriptor. It's only checked that the size is >= 2 in
	14	usb_parse_configuration(), so find_iad() might do out-of-bounds access
	15	to intf_assoc->bInterfaceCount.
	16
	17	And he's right, we don't check for crazy descriptors of this type very well, so
	18	resolve this problem. Yet another issue found by syzkaller...
	19
	20	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	21	Tested-by: Andrey Konovalov <andreyknvl@google.com>
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23
	24	---
	25	drivers/usb/core/config.c \| 14 +++++++++++---
	26	include/uapi/linux/usb/ch9.h \| 1 +
	27	2 files changed, 12 insertions(+), 3 deletions(-)
	28
	29	--- a/drivers/usb/core/config.c
	30	+++ b/drivers/usb/core/config.c
	31	@@ -643,15 +643,23 @@ static int usb_parse_configuration(struc
	32
	33	} else if (header->bDescriptorType ==
	34	USB_DT_INTERFACE_ASSOCIATION) {
	35	+ struct usb_interface_assoc_descriptor *d;
	36	+
	37	+ d = (struct usb_interface_assoc_descriptor *)header;
	38	+ if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) {
	39	+ dev_warn(ddev,
	40	+ "config %d has an invalid interface association descriptor of length %d, skipping\n",
	41	+ cfgno, d->bLength);
	42	+ continue;
	43	+ }
	44	+
	45	if (iad_num == USB_MAXIADS) {
	46	dev_warn(ddev, "found more Interface "
	47	"Association Descriptors "
	48	"than allocated for in "
	49	"configuration %d\n", cfgno);
	50	} else {
	51	- config->intf_assoc[iad_num] =
	52	- (struct usb_interface_assoc_descriptor
	53	- *)header;
	54	+ config->intf_assoc[iad_num] = d;
	55	iad_num++;
	56	}
	57
	58	--- a/include/uapi/linux/usb/ch9.h
	59	+++ b/include/uapi/linux/usb/ch9.h
	60	@@ -780,6 +780,7 @@ struct usb_interface_assoc_descriptor {
	61	__u8 iFunction;
	62	} __attribute__ ((packed));
	63
	64	+#define USB_DT_INTERFACE_ASSOCIATION_SIZE 8
65
66	/-------------------------------------------------------------------------/
67