lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAeHK+zYCt1bgrK8FHEbWffgqf-ickFXaqZQBcdK1tdkNSbAHA@mail.gmail.com>
Date:   Mon, 9 Oct 2017 13:14:49 +0200
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Dmitry Torokhov <dmitry.torokhov@...il.com>
Cc:     Johan Hovold <johan@...nel.org>,
        Arvind Yadav <arvind.yadav.cs@...il.com>,
        linux-input@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: usb/misc/ims-pcu: slab-out-of-bounds in ims_pcu_parse_cdc_data

On Sat, Oct 7, 2017 at 8:14 PM, Dmitry Torokhov
<dmitry.torokhov@...il.com> wrote:
> On Thu, Sep 28, 2017 at 01:35:51PM +0200, Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit dc972a67cc54585bd83ad811c4e9b6ab3dcd427e (4.14-rc2+).
>>
>> There's no check that the length of intf->altsetting->extra is big
>> enough to hold usb_cdc_union_desc struct.
>
> Can you please tell me if the following works for you?
>
> Thanks!

Hi Dmitry,

I don't have a reproducer for this issue, but the fix looks good to
me. I'll apply and keep testing.

Thanks!

Reviewed-by: Andrey Konovalov <andreyknvl@...gle.com>

>
> --
> Dmitry
>
> Input: ims-psu - check if CDC union descriptor is sane
>
> From: Dmitry Torokhov <dmitry.torokhov@...il.com>
>
> Before trying to use CDC union descriptor, try to validate whether that it
> is sane by checking that intf->altsetting->extra is big enough and that
> descriptor bLength is not too big and not too small.
>
> Reported-by: Andrey Konovalov <andreyknvl@...gle.com>
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@...il.com>
> ---
>  drivers/input/misc/ims-pcu.c |   16 ++++++++++++++--
>  1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
> index 6bf82ea8c918..ae473123583b 100644
> --- a/drivers/input/misc/ims-pcu.c
> +++ b/drivers/input/misc/ims-pcu.c
> @@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf)
>                 return NULL;
>         }
>
> -       while (buflen > 0) {
> +       while (buflen >= sizeof(*union_desc)) {
>                 union_desc = (struct usb_cdc_union_desc *)buf;
>
> +               if (union_desc->bLength > buflen) {
> +                       dev_err(&intf->dev, "Too large descriptor\n");
> +                       return NULL;
> +               }
> +
>                 if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE &&
>                     union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) {
>                         dev_dbg(&intf->dev, "Found union header\n");
> -                       return union_desc;
> +
> +                       if (union_desc->bLength >= sizeof(*union_desc))
> +                               return union_desc;
> +
> +                       dev_err(&intf->dev,
> +                               "Union descriptor to short (%d vs %zd\n)",
> +                               union_desc->bLength, sizeof(*union_desc));
> +                       return NULL;
>                 }
>
>                 buflen -= union_desc->bLength;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ