From: Greg Kroah-Hartman Date: Mon, 23 Oct 2017 12:42:07 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.78~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6492d92bb4a2e24e361cfc6cebf6feb5407e405a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch --- diff --git a/queue-4.4/usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch b/queue-4.4/usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch new file mode 100644 index 00000000000..4b3cb857e1c --- /dev/null +++ b/queue-4.4/usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch @@ -0,0 +1,67 @@ +From 845d584f41eac3475c21e4a7d5e88d0f6e410cf7 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 16 Oct 2017 16:21:19 +0200 +Subject: USB: devio: Revert "USB: devio: Don't corrupt user memory" + +From: Hans de Goede + +commit 845d584f41eac3475c21e4a7d5e88d0f6e410cf7 upstream. + +Taking the uurb->buffer_length userspace passes in as a maximum for the +actual urbs transfer_buffer_length causes 2 serious issues: + +1) It breaks isochronous support for all userspace apps using libusb, + as existing libusb versions pass in 0 for uurb->buffer_length, + relying on the kernel using the lenghts of the usbdevfs_iso_packet_desc + descriptors passed in added together as buffer length. + + This for example causes redirection of USB audio and Webcam's into + virtual machines using qemu-kvm to no longer work. This is a userspace + ABI break and as such must be reverted. + + Note that the original commit does not protect other users / the + kernels memory, it only stops the userspace process making the call + from shooting itself in the foot. + +2) It may cause the kernel to program host controllers to DMA over random + memory. Just as the devio code used to only look at the iso_packet_desc + lenghts, the host drivers do the same, relying on the submitter of the + urbs to make sure the entire buffer is large enough and not checking + transfer_buffer_length. + + But the "USB: devio: Don't corrupt user memory" commit now takes the + userspace provided uurb->buffer_length for the buffer-size while copying + over the user-provided iso_packet_desc lengths 1:1, allowing the user + to specify a small buffer size while programming the host controller to + dma a lot more data. + + (Atleast the ohci, uhci, xhci and fhci drivers do not check + transfer_buffer_length for isoc transfers.) + +This reverts commit fa1ed74eb1c2 ("USB: devio: Don't corrupt user memory") +fixing both these issues. + +Cc: Dan Carpenter +Signed-off-by: Hans de Goede +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1417,11 +1417,7 @@ static int proc_do_submiturb(struct usb_ + totlen += isopkt[u].length; + } + u *= sizeof(struct usb_iso_packet_descriptor); +- if (totlen <= uurb->buffer_length) +- uurb->buffer_length = totlen; +- else +- WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d", +- totlen, uurb->buffer_length); ++ uurb->buffer_length = totlen; + break; + + default: