Commit dfdf5fa3 authored by Alan Stern's avatar Alan Stern Committed by Greg Kroah-Hartman

USB: core: prevent malicious bNumInterfaces overflow

commit 48a4ff1c upstream.

A malicious USB device with crafted descriptors can cause the kernel
to access unallocated memory by setting the bNumInterfaces value too
high in a configuration descriptor.  Although the value is adjusted
during parsing, this adjustment is skipped in one of the error return
paths.

This patch prevents the problem by setting bNumInterfaces to 0
initially.  The existing code already sets it to the proper value
after parsing is complete.
Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 05de6fa5
...@@ -521,6 +521,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, ...@@ -521,6 +521,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
unsigned iad_num = 0; unsigned iad_num = 0;
memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
nintf = nintf_orig = config->desc.bNumInterfaces;
config->desc.bNumInterfaces = 0; // Adjusted later
if (config->desc.bDescriptorType != USB_DT_CONFIG || if (config->desc.bDescriptorType != USB_DT_CONFIG ||
config->desc.bLength < USB_DT_CONFIG_SIZE || config->desc.bLength < USB_DT_CONFIG_SIZE ||
config->desc.bLength > size) { config->desc.bLength > size) {
...@@ -534,7 +537,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, ...@@ -534,7 +537,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
buffer += config->desc.bLength; buffer += config->desc.bLength;
size -= config->desc.bLength; size -= config->desc.bLength;
nintf = nintf_orig = config->desc.bNumInterfaces;
if (nintf > USB_MAXINTERFACES) { if (nintf > USB_MAXINTERFACES) {
dev_warn(ddev, "config %d has too many interfaces: %d, " dev_warn(ddev, "config %d has too many interfaces: %d, "
"using maximum allowed: %d\n", "using maximum allowed: %d\n",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment