lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 25 Aug 2020 14:00:26 -0400
From:   Alan Stern <stern@...land.harvard.edu>
To:     yanfei.xu@...driver.com
Cc:     gregkh@...uxfoundation.org, linux-usb@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] USB: core: limit access to rawdescriptors which were not
 allocated

On Wed, Aug 26, 2020 at 12:16:59AM +0800, yanfei.xu@...driver.com wrote:
> From: Yanfei Xu <yanfei.xu@...driver.com>
> 
> When using systemcall to read the rawdescriptors, make sure we won't
> access to the rawdescriptors never allocated, which are number
> exceed the USB_MAXCONFIG.
> 
> Reported-by: syzbot+256e56ddde8b8957eabd@...kaller.appspotmail.com
> Signed-off-by: Yanfei Xu <yanfei.xu@...driver.com>
> ---
>  drivers/usb/core/sysfs.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
> index a2ca38e25e0c..1a7a625e5f55 100644
> --- a/drivers/usb/core/sysfs.c
> +++ b/drivers/usb/core/sysfs.c
> @@ -895,7 +895,8 @@ read_descriptors(struct file *filp, struct kobject *kobj,
>  	 * configurations (config plus subsidiary descriptors).
>  	 */
>  	for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations &&
> -			nleft > 0; ++cfgno) {
> +			nleft > 0 &&
> +			cfgno < USB_MAXCONFIG; ++cfgno) {
>  		if (cfgno < 0) {
>  			src = &udev->descriptor;
>  			srclen = sizeof(struct usb_device_descriptor);

This is not the right way to fix the problem.

Instead, we should make sure that udev->descriptor.bNumConfigurations is 
always <= USB_MAXCONFIG.  That's what this code in 
usb_get_configuration() is supposed to do:

	int ncfg = dev->descriptor.bNumConfigurations;
	...

	if (ncfg > USB_MAXCONFIG) {
		dev_warn(ddev, "too many configurations: %d, "
		    "using maximum allowed: %d\n", ncfg, USB_MAXCONFIG);
		dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
	}

If you want to fix the bug, you need to figure out why this isn't 
working.

Alan Stern

Powered by blists - more mailing lists