Alan Stern
unread,Oct 18, 2017, 11:25:21 AM10/18/17Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Andrey Konovalov, Greg Kroah-Hartman, Samuel Thibault, Dmitry Fleytman, USB list, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
On Wed, 18 Oct 2017, Andrey Konovalov wrote:
> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
>
> Looks like usb_get_bos_descriptor() doesn't check that buffer has
> enough space for usb_dev_cap_header, which causes out-of-bounds
> accesses.
Please try the patch below.
Alan Stern
Index: usb-4.x/drivers/usb/core/config.c
===================================================================
--- usb-4.x.orig/drivers/usb/core/config.c
+++ usb-4.x/drivers/usb/core/config.c
@@ -952,10 +952,12 @@ int usb_get_bos_descriptor(struct usb_de
for (i = 0; i < num; i++) {
buffer += length;
cap = (struct usb_dev_cap_header *)buffer;
- length = cap->bLength;
- if (total_len < length)
+ if (total_len < sizeof(*cap) || total_len < cap->bLength) {
+ dev->bos->desc->bNumDeviceCaps = i;
break;
+ }
+ length = cap->bLength;
total_len -= length;
if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {