From patchwork Sat Oct 7 18:14:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Torokhov X-Patchwork-Id: 9991399 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 97E2A60231 for ; Sat, 7 Oct 2017 18:14:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C68128785 for ; Sat, 7 Oct 2017 18:14:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5E4D7288A1; Sat, 7 Oct 2017 18:14:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 44D0320144 for ; Sat, 7 Oct 2017 18:14:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751373AbdJGSOi (ORCPT ); Sat, 7 Oct 2017 14:14:38 -0400 Received: from mail-pg0-f68.google.com ([74.125.83.68]:37238 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751328AbdJGSOh (ORCPT ); Sat, 7 Oct 2017 14:14:37 -0400 Received: by mail-pg0-f68.google.com with SMTP id o1so20420400pga.4; Sat, 07 Oct 2017 11:14:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=IhnuCCNnuBfMZCeci6R2JhWaVHVaMOqV6tgx8u2ysms=; b=YAw2lUqe0essjpvqOvzzGZ6179i7K/Z4f7gLYCVeH8/xM6dUi6nCm6Z067WaxYPLOu p1yb0vBNA6QnvEhXgAZxFZUssM8tsMDwqK8mUQpL20/ZpZvWdvFnDI/b676e6fBYzPdd VFsy11XTEPK2m3eutFCnUkse4R65VwZNaR90XpfVbN6hjjIluTVCTj7NfqF5l1oGERdv IGhwf7O4MKbBdJxc8GlS0iJ1DORr/RWuet4XeBgTUfTLUw/wOISt/hZS230yco3E3EZh DIw26jXV/DaADohG1tSEHPGny11ngMEIthOVUZivHVhppEmEAZ2ahZ+/bZiOv99/FigW mYWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=IhnuCCNnuBfMZCeci6R2JhWaVHVaMOqV6tgx8u2ysms=; b=b8H1byQhRMmhTE9YqEngcpWRxiczC+UZIpiEV7VtSKLf4sqWT2k/isD6PLhX825own nZJIouIqitBpfBGRE4/lqZyOh00vNyYDjAKlJt7lRitm5aPd6M7VziDU/vDYadLbQl44 vxaw7JsD/cj1dla7dzNqIUt/q+Ignccz12jGY2Xxwc10idF9r8zvkXJubAXJYDQdKmzO 9vg7X1vaAjowBwB34hqz+a5iV0QU7TXwDqFmyrZ66UhPoRNJeI43cxbiTI1Qzm57meCZ DVOkYtKiilGWs60SsUfzm4VRYyQ6RaNZqzu3LzFZjqz7RDxjwmvV+rNxZj+WqWMok+6e Ub8w== X-Gm-Message-State: AMCzsaVtsHxc5G0qY5ECoffrXrHjW35fxHvLzVBBcfj2n3S1meCPk7n6 hSFH8Vf9xOWqmB8Y1y/0anFuA2Fy X-Google-Smtp-Source: AOwi7QA2okJqNagPh2BuByk2spWr3tq18cQovxUJECHMrcrCXhFtTpBS+KiQeqfHzEagaJCa0UkCyA== X-Received: by 10.99.96.68 with SMTP id u65mr5385421pgb.355.1507400076510; Sat, 07 Oct 2017 11:14:36 -0700 (PDT) Received: from dtor-ws ([2620:0:1000:1611:a048:ede0:a214:b6e8]) by smtp.gmail.com with ESMTPSA id a81sm7481168pfe.32.2017.10.07.11.14.35 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Sat, 07 Oct 2017 11:14:35 -0700 (PDT) Date: Sat, 7 Oct 2017 11:14:33 -0700 From: Dmitry Torokhov To: Andrey Konovalov Cc: Johan Hovold , Arvind Yadav , linux-input@vger.kernel.org, LKML , Dmitry Vyukov , Kostya Serebryany , syzkaller Subject: Re: usb/misc/ims-pcu: slab-out-of-bounds in ims_pcu_parse_cdc_data Message-ID: <20171007181433.GA14355@dtor-ws> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Thu, Sep 28, 2017 at 01:35:51PM +0200, Andrey Konovalov wrote: > Hi! > > I've got the following report while fuzzing the kernel with syzkaller. > > On commit dc972a67cc54585bd83ad811c4e9b6ab3dcd427e (4.14-rc2+). > > There's no check that the length of intf->altsetting->extra is big > enough to hold usb_cdc_union_desc struct. Can you please tell me if the following works for you? Thanks! Reviewed-by: Andrey Konovalov diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c index 6bf82ea8c918..ae473123583b 100644 --- a/drivers/input/misc/ims-pcu.c +++ b/drivers/input/misc/ims-pcu.c @@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf) return NULL; } - while (buflen > 0) { + while (buflen >= sizeof(*union_desc)) { union_desc = (struct usb_cdc_union_desc *)buf; + if (union_desc->bLength > buflen) { + dev_err(&intf->dev, "Too large descriptor\n"); + return NULL; + } + if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE && union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) { dev_dbg(&intf->dev, "Found union header\n"); - return union_desc; + + if (union_desc->bLength >= sizeof(*union_desc)) + return union_desc; + + dev_err(&intf->dev, + "Union descriptor to short (%d vs %zd\n)", + union_desc->bLength, sizeof(*union_desc)); + return NULL; } buflen -= union_desc->bLength;