mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
44 lines
1.6 KiB
Diff
44 lines
1.6 KiB
Diff
From 1c0edc3633b56000e18d82fc241e3995ca18a69e Mon Sep 17 00:00:00 2001
|
|
From: Alan Stern <stern@rowland.harvard.edu>
|
|
Date: Wed, 18 Oct 2017 12:49:38 -0400
|
|
Subject: [PATCH] USB: core: fix out-of-bounds access bug in
|
|
usb_get_bos_descriptor()
|
|
|
|
Andrey used the syzkaller fuzzer to find an out-of-bounds memory
|
|
access in usb_get_bos_descriptor(). The code wasn't checking that the
|
|
next usb_dev_cap_header structure could fit into the remaining buffer
|
|
space.
|
|
|
|
This patch fixes the error and also reduces the bNumDeviceCaps field
|
|
in the header to match the actual number of capabilities found, in
|
|
cases where there are fewer than expected.
|
|
|
|
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
|
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
|
|
Tested-by: Andrey Konovalov <andreyknvl@google.com>
|
|
CC: <stable@vger.kernel.org>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
---
|
|
drivers/usb/core/config.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
|
|
index 68b54bd88d1eb..883549ee946cb 100644
|
|
--- a/drivers/usb/core/config.c
|
|
+++ b/drivers/usb/core/config.c
|
|
@@ -960,10 +960,12 @@ int usb_get_bos_descriptor(struct usb_device *dev)
|
|
for (i = 0; i < num; i++) {
|
|
buffer += length;
|
|
cap = (struct usb_dev_cap_header *)buffer;
|
|
- length = cap->bLength;
|
|
|
|
- if (total_len < length)
|
|
+ if (total_len < sizeof(*cap) || total_len < cap->bLength) {
|
|
+ dev->bos->desc->bNumDeviceCaps = i;
|
|
break;
|
|
+ }
|
|
+ length = cap->bLength;
|
|
total_len -= length;
|
|
|
|
if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
|