lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <476ed63c-0578-54a5-9ab1-5b26e1d9f5c6@windriver.com>
Date:   Wed, 26 Aug 2020 14:56:49 +0800
From:   "Xu, Yanfei" <yanfei.xu@...driver.com>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     gregkh@...uxfoundation.org, linux-usb@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] USB: core: limit access to rawdescriptors which were not
 allocated



On 8/26/20 2:00 AM, Alan Stern wrote:
> On Wed, Aug 26, 2020 at 12:16:59AM +0800, yanfei.xu@...driver.com wrote:
>> From: Yanfei Xu <yanfei.xu@...driver.com>
>>
>> When using systemcall to read the rawdescriptors, make sure we won't
>> access to the rawdescriptors never allocated, which are number
>> exceed the USB_MAXCONFIG.
>>
>> Reported-by: syzbot+256e56ddde8b8957eabd@...kaller.appspotmail.com
>> Signed-off-by: Yanfei Xu <yanfei.xu@...driver.com>
>> ---
>>   drivers/usb/core/sysfs.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
>> index a2ca38e25e0c..1a7a625e5f55 100644
>> --- a/drivers/usb/core/sysfs.c
>> +++ b/drivers/usb/core/sysfs.c
>> @@ -895,7 +895,8 @@ read_descriptors(struct file *filp, struct kobject *kobj,
>>   	 * configurations (config plus subsidiary descriptors).
>>   	 */
>>   	for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations &&
>> -			nleft > 0; ++cfgno) {
>> +			nleft > 0 &&
>> +			cfgno < USB_MAXCONFIG; ++cfgno) {
>>   		if (cfgno < 0) {
>>   			src = &udev->descriptor;
>>   			srclen = sizeof(struct usb_device_descriptor);
> 
> This is not the right way to fix the problem.
> 
> Instead, we should make sure that udev->descriptor.bNumConfigurations is
> always <= USB_MAXCONFIG.  That's what this code in
> usb_get_configuration() is supposed to do:
> 
> 	int ncfg = dev->descriptor.bNumConfigurations;
> 	...
> 
> 	if (ncfg > USB_MAXCONFIG) {
> 		dev_warn(ddev, "too many configurations: %d, "
> 		    "using maximum allowed: %d\n", ncfg, USB_MAXCONFIG);
> 		dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
> 	}
> 
> If you want to fix the bug, you need to figure out why this isn't
> working.
Thanks for you suggestion. The patch is not right. I'll try to look
into the root cause.

Regard,
Yanfei.
> 
> Alan Stern
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ