lsusb: fix out-of-bounds reads in IPP printer descriptor parsing

dump_printer_device() iterates through sub-descriptors using buf[3] as
the count and buf[n+1] to advance the offset, without any bounds
checking against buf[0] (the total descriptor length). Multiple buffer
accesses (buf[n], buf[n+1], buf[n+2..n+5]) can read past the end of
the descriptor.

A malicious USB device providing a short descriptor with a large
bcdNumDescriptors value or large sub-descriptor lengths causes
out-of-bounds reads.

Add bounds checks: verify minimum descriptor length, check n+2 fits
before each iteration, and check n+6 fits before accessing basic
capability fields.

Assisted-by: gkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: ca4daf4748098bc83c715478eb4f69cf982e9fc2
  1. .github/
  2. ccan/
  3. LICENSES/
  4. man/
  5. tests/
  6. usbhid-dump/
  7. .clang-format
  8. .codespellignore
  9. .editorconfig
  10. .gitignore
  11. autogen.sh
  12. build-dev.ini
  13. desc-defs.c
  14. desc-defs.h
  15. desc-dump.c
  16. desc-dump.h
  17. justfile
  18. lsusb-t.c
  19. lsusb.c
  20. lsusb.h
  21. lsusb.py
  22. meson.build
  23. names.c
  24. names.h
  25. NEWS
  26. README.md
  27. REUSE.toml
  28. sysfs.c
  29. sysfs.h
  30. usb-devices
  31. usb-spec.h
  32. usbmisc.c
  33. usbmisc.h
  34. usbreset.c
  35. usbutils.spdx
README.md

usbutils

This is a collection of USB tools for use on Linux and BSD systems to query what type of USB devices are connected to the system. This is to be run on a USB host (i.e. a machine you plug USB devices into), not on a USB device (i.e. a device you plug into a USB host.)

Building and installing

Note, usbutils depends on libusb and libudev, be sure that libraries are properly installed first.

To work with the “raw” repo, after cloning it just do:

./autogen.sh

which will build everything and place the binaries into the build/ subdirectory.

usbutils uses meson to build, so if you wish to just build by hand you can do:

meson setup build
cd build/
meson compile

Source location

The source for usbutils can be found in many places, depending on the git hosting site you prefer. Here are the primary locations, in order of preference by the maintainer:

https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usbutils.git/
https://git.sr.ht/~gregkh/usbutils
https://github.com/gregkh/usbutils

Contributing

If you have patches or suggestions, you can submit them either via email to the maintainer or to the linux-usb mailing list or via a pull request.

Please note that commits must include a Signed-off-by trailer, indicating that you comply with the Developer Certificate of Origin v1.1.

In addition, when adding new files or contributing to existing ones, ensure that the SPDX tags SPDX-FileCopyrightText and SPDX-License-Identifier are available and are kept up-to date. You can learn more and do that via reuse-tool.