| From a03ff54460817c76105f81f3aa8ef655759ccc9a Mon Sep 17 00:00:00 2001 |
| From: Alan Stern <stern@rowland.harvard.edu> |
| Date: Mon, 13 May 2019 13:14:29 -0400 |
| Subject: USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor |
| |
| From: Alan Stern <stern@rowland.harvard.edu> |
| |
| commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream. |
| |
| The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the |
| USB core, caused by a failure to check the actual size of a BOS |
| descriptor. This patch adds a check to make sure the descriptor is at |
| least as large as it is supposed to be, so that the code doesn't |
| inadvertently access memory beyond the end of the allocated region |
| when assigning to dev->bos->desc->bNumDeviceCaps later on. |
| |
| Signed-off-by: Alan Stern <stern@rowland.harvard.edu> |
| Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com |
| CC: <stable@vger.kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/usb/core/config.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/usb/core/config.c |
| +++ b/drivers/usb/core/config.c |
| @@ -936,8 +936,8 @@ int usb_get_bos_descriptor(struct usb_de |
| |
| /* Get BOS descriptor */ |
| ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE); |
| - if (ret < USB_DT_BOS_SIZE) { |
| - dev_err(ddev, "unable to get BOS descriptor\n"); |
| + if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) { |
| + dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n"); |
| if (ret >= 0) |
| ret = -ENOMSG; |
| kfree(bos); |