lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YPN5WVw3c1Xy4sdB@sashalap>
Date:   Sat, 17 Jul 2021 20:44:09 -0400
From:   Sasha Levin <sashal@...nel.org>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        Alan Stern <stern@...land.harvard.edu>,
        Johan Hovold <johan@...nel.org>,
        syzbot+7dbcd9ff34dc4ed45240@...kaller.appspotmail.com,
        linux-usb@...r.kernel.org
Subject: Re: [PATCH AUTOSEL 5.13 062/114] USB: core: Avoid WARNings for
 0-length descriptor requests

On Sat, Jul 10, 2021 at 08:23:50AM +0200, Greg Kroah-Hartman wrote:
>On Fri, Jul 09, 2021 at 10:16:56PM -0400, Sasha Levin wrote:
>> From: Alan Stern <stern@...land.harvard.edu>
>>
>> [ Upstream commit 60dfe484cef45293e631b3a6e8995f1689818172 ]
>>
>> The USB core has utility routines to retrieve various types of
>> descriptors.  These routines will now provoke a WARN if they are asked
>> to retrieve 0 bytes (USB "receive" requests must not have zero
>> length), so avert this by checking the size argument at the start.
>>
>> CC: Johan Hovold <johan@...nel.org>
>> Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@...kaller.appspotmail.com
>> Reviewed-by: Johan Hovold <johan@...nel.org>
>> Signed-off-by: Alan Stern <stern@...land.harvard.edu>
>> Link: https://lore.kernel.org/r/20210607152307.GD1768031@rowland.harvard.edu
>> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>> Signed-off-by: Sasha Levin <sashal@...nel.org>
>> ---
>>  drivers/usb/core/message.c | 6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
>> index 30e9e680c74c..4d59d927ae3e 100644
>> --- a/drivers/usb/core/message.c
>> +++ b/drivers/usb/core/message.c
>> @@ -783,6 +783,9 @@ int usb_get_descriptor(struct usb_device *dev, unsigned char type,
>>  	int i;
>>  	int result;
>>
>> +	if (size <= 0)		/* No point in asking for no data */
>> +		return -EINVAL;
>> +
>>  	memset(buf, 0, size);	/* Make sure we parse really received data */
>>
>>  	for (i = 0; i < 3; ++i) {
>> @@ -832,6 +835,9 @@ static int usb_get_string(struct usb_device *dev, unsigned short langid,
>>  	int i;
>>  	int result;
>>
>> +	if (size <= 0)		/* No point in asking for no data */
>> +		return -EINVAL;
>> +
>>  	for (i = 0; i < 3; ++i) {
>>  		/* retry on length 0 or stall; some devices are flakey */
>>  		result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
>> --
>> 2.30.2
>>
>
>This patch should be dropped from all of the autosel branches it was
>picked to, as I do not think the USB core has been fixed up, along with
>all of the different drivers that we noticed doing this, in the stable
>trees.
>
>So please drop from everywhere at this time.

Will do, thanks!

-- 
Thanks,
Sasha

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ