lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Sep 2017 20:50:39 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: Andrey Konovalov <andreyknvl@...gle.com> Cc: Jaejoong Kim <climbbb.kim@...il.com>, Jonathan Corbet <corbet@....net>, Mauro Carvalho Chehab <mchehab@...nel.org>, USB list <linux-usb@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, syzkaller <syzkaller@...glegroups.com>, Kostya Serebryany <kcc@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com> Subject: Re: usb/core: slab-out-of-bounds in usb_set_configuration On Mon, Sep 18, 2017 at 07:22:24PM +0200, Andrey Konovalov wrote: > Hi! > > I've got the following crash while fuzzing the kernel with syzkaller. > > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). > > It seems there's no proper size check of a > USB_DT_INTERFACE_ASSOCIATION descriptor. It's only checked that the > size is >= 2 in usb_parse_configuration(), so find_iad() might do > out-of-bounds access to intf_assoc->bInterfaceCount. Ah, nice catch! Does the patch below fix this? thanks, greg k-h --------------- diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 4be52c602e9b..a3dbac1938ec 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -643,15 +643,23 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, } else if (header->bDescriptorType == USB_DT_INTERFACE_ASSOCIATION) { + struct usb_interface_assoc_descriptor *d; + + d = (struct usb_interface_assoc_descriptor *)header; + if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) { + dev_warn(ddev, + "config %d has an invalid interface association descriptor of length %d, skipping\n", + cfgno, d->bLength); + continue; + } + if (iad_num == USB_MAXIADS) { dev_warn(ddev, "found more Interface " "Association Descriptors " "than allocated for in " "configuration %d\n", cfgno); } else { - config->intf_assoc[iad_num] = - (struct usb_interface_assoc_descriptor - *)header; + config->intf_assoc[iad_num] = d; iad_num++; } diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h index ce1169af39d7..2a5d63040a0b 100644 --- a/include/uapi/linux/usb/ch9.h +++ b/include/uapi/linux/usb/ch9.h @@ -780,6 +780,7 @@ struct usb_interface_assoc_descriptor { __u8 iFunction; } __attribute__ ((packed)); +#define USB_DT_INTERFACE_ASSOCIATION_SIZE 8 /*-------------------------------------------------------------------------*/
Powered by blists - more mailing lists