Re: [PATCH] USB: core: limit access to rawdescriptors which were not allocated
From: Xu, Yanfei
Date: Wed Aug 26 2020 - 02:57:07 EST
On 8/26/20 2:00 AM, Alan Stern wrote:
On Wed, Aug 26, 2020 at 12:16:59AM +0800, yanfei.xu@xxxxxxxxxxxxx wrote:
From: Yanfei Xu <yanfei.xu@xxxxxxxxxxxxx>
When using systemcall to read the rawdescriptors, make sure we won't
access to the rawdescriptors never allocated, which are number
exceed the USB_MAXCONFIG.
Reported-by: syzbot+256e56ddde8b8957eabd@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Yanfei Xu <yanfei.xu@xxxxxxxxxxxxx>
---
drivers/usb/core/sysfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
index a2ca38e25e0c..1a7a625e5f55 100644
--- a/drivers/usb/core/sysfs.c
+++ b/drivers/usb/core/sysfs.c
@@ -895,7 +895,8 @@ read_descriptors(struct file *filp, struct kobject *kobj,
* configurations (config plus subsidiary descriptors).
*/
for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations &&
- nleft > 0; ++cfgno) {
+ nleft > 0 &&
+ cfgno < USB_MAXCONFIG; ++cfgno) {
if (cfgno < 0) {
src = &udev->descriptor;
srclen = sizeof(struct usb_device_descriptor);
This is not the right way to fix the problem.
Instead, we should make sure that udev->descriptor.bNumConfigurations is
always <= USB_MAXCONFIG. That's what this code in
usb_get_configuration() is supposed to do:
int ncfg = dev->descriptor.bNumConfigurations;
...
if (ncfg > USB_MAXCONFIG) {
dev_warn(ddev, "too many configurations: %d, "
"using maximum allowed: %d\n", ncfg, USB_MAXCONFIG);
dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
}
If you want to fix the bug, you need to figure out why this isn't
working.
Thanks for you suggestion. The patch is not right. I'll try to look
into the root cause.
Regard,
Yanfei.
Alan Stern