lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20190513204851.GA20475@kroah.com>
Date:   Mon, 13 May 2019 22:48:51 +0200
From:   Greg KH <greg@...ah.com>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     andreyknvl@...gle.com, gustavo@...eddedor.com,
        Kernel development list <linux-kernel@...r.kernel.org>,
        USB list <linux-usb@...r.kernel.org>, suwan.kim027@...il.com,
        syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] USB: Fix slab-out-of-bounds write in
 usb_get_bos_descriptor

On Mon, May 13, 2019 at 01:14:29PM -0400, Alan Stern wrote:
> The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the
> USB core, caused by a failure to check the actual size of a BOS
> descriptor.  This patch adds a check to make sure the descriptor is at
> least as large as it is supposed to be, so that the code doesn't
> inadvertently access memory beyond the end of the allocated region
> when assigning to dev->bos->desc->bNumDeviceCaps later on.
> 
> Signed-off-by: Alan Stern <stern@...land.harvard.edu>
> Reported-and-tested-by: syzbot+71f1e64501a309fcc012@...kaller.appspotmail.com
> CC: <stable@...r.kernel.org>
> 
> ---
> 
> 
> [as1898]
> 
> 
>  drivers/usb/core/config.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> Index: usb-devel/drivers/usb/core/config.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/config.c
> +++ usb-devel/drivers/usb/core/config.c
> @@ -932,8 +932,8 @@ int usb_get_bos_descriptor(struct usb_de
>  
>  	/* Get BOS descriptor */
>  	ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE);
> -	if (ret < USB_DT_BOS_SIZE) {
> -		dev_err(ddev, "unable to get BOS descriptor\n");
> +	if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) {
> +		dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n");

Nice fix, I thought we had found all of these the last time we fuzzed
this area :)

I'll queue this up once 5.2-rc1 is out, thanks.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ