Google Git
Sign in
chromium / chromiumos / third_party / kernel / a725a70f1f891d884ab83c6af4169bb0c5b8c662^! / .
commita725a70f1f891d884ab83c6af4169bb0c5b8c662[log] [tgz]
authorMathias Payer <mathias.payer@nebelwelt.net>Wed Dec 05 20:19:59 2018
committerchrome-bot <chrome-bot@chromium.org>Thu Dec 20 21:49:53 2018
tree28d9214930709a3a420523f94f5949e807ed56f5
parent35de9c774b14163dd935c7605499396e7b56afed [diff]
BACKPORT: USB: check usb_get_extra_descriptor for proper size

commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.

When reading an extra descriptor, we need to properly check the minimum
and maximum size allowed, to prevent from invalid data being sent by a
device.

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

BUG=chromium:915636
TEST=CQ

(cherry picked from v3.18.y, commit d672c306e00a904adcbdce42b51b23b3e906f5cf)
Signed-off-by: Guenter Roeck <groeck@chromium.org>

Change-Id: Id4b749680e1af923f23c07017dbf4b00f75b8265
Reviewed-on: https://chromium-review.googlesource.com/1384717
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 7b93ff2..bb04ce52 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c

@@ -2226,7 +2226,8 @@
 		/* descriptor may appear anywhere in config */
 		if (__usb_get_extra_descriptor (udev->rawdescriptors[0],
 					le16_to_cpu(udev->config[0].desc.wTotalLength),
-					USB_DT_OTG, (void **) &desc) == 0) {
+					USB_DT_OTG, (void **) &desc,
+					sizeof(*desc)) == 0) {
 			if (desc->bmAttributes & USB_OTG_HNP) {
 				unsigned		port1 = udev->portnum;
 

diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
index 4d11449..33bcc30 100644
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c

@@ -661,14 +661,14 @@
  */
 
 int __usb_get_extra_descriptor(char *buffer, unsigned size,
-			       unsigned char type, void **ptr)
+			       unsigned char type, void **ptr, size_t minsize)
 {
 	struct usb_descriptor_header *header;
 
 	while (size >= sizeof(struct usb_descriptor_header)) {
 		header = (struct usb_descriptor_header *)buffer;
 
-		if (header->bLength < 2) {
+		if (header->bLength < 2 || header->bLength > size) {
 			printk(KERN_ERR
 				"%s: bogus descriptor, type %d length %d\n",
 				usbcore_name,
@@ -677,7 +677,7 @@
 			return -1;
 		}
 
-		if (header->bDescriptorType == type) {
+		if (header->bDescriptorType == type && header->bLength >= minsize) {
 			*ptr = header;
 			return 0;
 		}

diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
index e076699..3cde7f1 100644
--- a/drivers/usb/host/hwa-hc.c
+++ b/drivers/usb/host/hwa-hc.c

@@ -618,7 +618,7 @@
 	top = itr + itr_size;
 	result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index],
 			le16_to_cpu(usb_dev->actconfig->desc.wTotalLength),
-			USB_DT_SECURITY, (void **) &secd);
+			USB_DT_SECURITY, (void **) &secd, sizeof(*secd));
 	if (result == -1) {
 		dev_warn(dev, "BUG? WUSB host has no security descriptors\n");
 		return 0;

diff --git a/include/linux/usb.h b/include/linux/usb.h
index baf67c1..1fe5c9f 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h

@@ -330,11 +330,11 @@
 };
 
 int __usb_get_extra_descriptor(char *buffer, unsigned size,
-	unsigned char type, void **ptr);
+	unsigned char type, void **ptr, size_t min);
 #define usb_get_extra_descriptor(ifpoint, type, ptr) \
 				__usb_get_extra_descriptor((ifpoint)->extra, \
 				(ifpoint)->extralen, \
-				type, (void **)ptr)
+				type, (void **)ptr, sizeof(**(ptr)))
 
 /* ----------------------------------------------------------------------- */