| From 665c365a77fbfeabe52694aedf3446d5f2f1ce42 Mon Sep 17 00:00:00 2001 |
| From: Alan Stern <stern@rowland.harvard.edu> |
| Date: Mon, 15 Oct 2018 16:55:04 -0400 |
| Subject: USB: fix the usbfs flag sanitization for control transfers |
| |
| From: Alan Stern <stern@rowland.harvard.edu> |
| |
| commit 665c365a77fbfeabe52694aedf3446d5f2f1ce42 upstream. |
| |
| Commit 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more") checks the |
| transfer flags for URBs submitted from userspace via usbfs. However, |
| the check for whether the USBDEVFS_URB_SHORT_NOT_OK flag should be |
| allowed for a control transfer was added in the wrong place, before |
| the code has properly determined the direction of the control |
| transfer. (Control transfers are special because for them, the |
| direction is set by the bRequestType byte of the Setup packet rather |
| than direction bit of the endpoint address.) |
| |
| This patch moves code which sets up the allow_short flag for control |
| transfers down after is_in has been set to the correct value. |
| |
| Signed-off-by: Alan Stern <stern@rowland.harvard.edu> |
| Reported-and-tested-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com |
| Fixes: 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more") |
| CC: Oliver Neukum <oneukum@suse.com> |
| CC: <stable@vger.kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/usb/core/devio.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/usb/core/devio.c |
| +++ b/drivers/usb/core/devio.c |
| @@ -1490,8 +1490,6 @@ static int proc_do_submiturb(struct usb_ |
| u = 0; |
| switch (uurb->type) { |
| case USBDEVFS_URB_TYPE_CONTROL: |
| - if (is_in) |
| - allow_short = true; |
| if (!usb_endpoint_xfer_control(&ep->desc)) |
| return -EINVAL; |
| /* min 8 byte setup packet */ |
| @@ -1521,6 +1519,8 @@ static int proc_do_submiturb(struct usb_ |
| is_in = 0; |
| uurb->endpoint &= ~USB_DIR_IN; |
| } |
| + if (is_in) |
| + allow_short = true; |
| snoop(&ps->dev->dev, "control urb: bRequestType=%02x " |
| "bRequest=%02x wValue=%04x " |
| "wIndex=%04x wLength=%04x\n", |