Re: usb/core: slab-out-of-bounds in usb_get_bos_descriptor

From: Alan Stern
Date: Wed Oct 18 2017 - 11:25:25 EST

Next message: Jarkko Sakkinen: "Re: [PATCH v4 2/4] tpm: ignore burstcount to improve tpm_tis send() performance"
Previous message: Jarkko Sakkinen: "Re: [PATCH v4 3/4] tpm: reduce tpm polling delay in tpm_tis_core"
In reply to: Andrey Konovalov: "usb/core: slab-out-of-bounds in usb_get_bos_descriptor"
Next in thread: Andrey Konovalov: "Re: usb/core: slab-out-of-bounds in usb_get_bos_descriptor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 18 Oct 2017, Andrey Konovalov wrote:

> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
>
> Looks like usb_get_bos_descriptor() doesn't check that buffer has
> enough space for usb_dev_cap_header, which causes out-of-bounds
> accesses.

Please try the patch below.

Alan Stern

Index: usb-4.x/drivers/usb/core/config.c
===================================================================
--- usb-4.x.orig/drivers/usb/core/config.c
+++ usb-4.x/drivers/usb/core/config.c
@@ -952,10 +952,12 @@ int usb_get_bos_descriptor(struct usb_de
for (i = 0; i < num; i++) {
buffer += length;
cap = (struct usb_dev_cap_header *)buffer;
- length = cap->bLength;

- if (total_len < length)
+ if (total_len < sizeof(*cap) || total_len < cap->bLength) {
+ dev->bos->desc->bNumDeviceCaps = i;
break;
+ }
+ length = cap->bLength;
total_len -= length;

if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {

Next message: Jarkko Sakkinen: "Re: [PATCH v4 2/4] tpm: ignore burstcount to improve tpm_tis send() performance"
Previous message: Jarkko Sakkinen: "Re: [PATCH v4 3/4] tpm: reduce tpm polling delay in tpm_tis_core"
In reply to: Andrey Konovalov: "usb/core: slab-out-of-bounds in usb_get_bos_descriptor"
Next in thread: Andrey Konovalov: "Re: usb/core: slab-out-of-bounds in usb_get_bos_descriptor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]