[RFC,1/6] usb: usb_parse_endpoint ignore reserved bits

Message ID	20240411124722.17343-2-oneukum@suse.com (mailing list archive)
State	Superseded
Headers	show Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AD0013E88B for <linux-usb@vger.kernel.org>; Thu, 11 Apr 2024 12:47:28 +0000 (UTC) From: Oliver Neukum <oneukum@suse.com> To: linux-usb@vger.kernel.org Cc: Oliver Neukum <oneukum@suse.com> Subject: [RFC 1/6] usb: usb_parse_endpoint ignore reserved bits Date: Thu, 11 Apr 2024 14:42:59 +0200 Message-ID: <20240411124722.17343-2-oneukum@suse.com> In-Reply-To: <20240411124722.17343-1-oneukum@suse.com> References: <20240411124722.17343-1-oneukum@suse.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit default: False [0.16 / 50.00]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; BAYES_HAM(-0.04)[59.07%]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; FUZZY_BLOCKED(0.00)[rspamd.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]
Series	[RFC,1/6] usb: usb_parse_endpoint ignore reserved bits \| expand [RFC,1/6] usb: usb_parse_endpoint ignore reserved bits [RFC,2/6] usb: avoid overrunning a buffer in usb_parse_interface [RFC,3/6] usb: usb_parse_endpoint needs to guard against short descriptors [RFC,4/6] usb: usb_parse_endpoint guard against an incromprehensible preamble [RFC,5/6] usb: usb_parse_endpoint must not count duplicated endpoints [RFC,6/6] usb: config: find_next_descriptor can overflow buffer

Message ID

20240411124722.17343-2-oneukum@suse.com (mailing list archive)

State

Superseded

Headers

From: Oliver Neukum <oneukum@suse.com>
To: linux-usb@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>
Subject: [RFC 1/6] usb: usb_parse_endpoint ignore reserved bits
Date: Thu, 11 Apr 2024 14:42:59 +0200
Message-ID: <20240411124722.17343-2-oneukum@suse.com>
In-Reply-To: <20240411124722.17343-1-oneukum@suse.com>
References: <20240411124722.17343-1-oneukum@suse.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[RFC,1/6] usb: usb_parse_endpoint ignore reserved bits | expand

Comments

Greg KH April 11, 2024, 2:11 p.m. UTC | #1

On Thu, Apr 11, 2024 at 02:42:59PM +0200, Oliver Neukum wrote:
> We have to ignore the higher bits in bEndpointAddress

Why?

> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> ---
>  drivers/usb/core/config.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 7f8d33f92ddb..c7056b123d46 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -279,11 +279,11 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno,
>  		goto skip_to_next_endpoint_or_interface_descriptor;
>  	}
>  
> -	i = d->bEndpointAddress & ~USB_ENDPOINT_DIR_MASK;
> -	if (i >= 16 || i == 0) {
> +	i = d->bEndpointAddress & 0x0f;
> +	if (i == 0) {
>  		dev_notice(ddev, "config %d interface %d altsetting %d has an "
> -		    "invalid endpoint with address 0x%X, skipping\n",
> -		    cfgno, inum, asnum, d->bEndpointAddress);
> +		    "invalid descriptor for the common control endpoint, skipping\n",
> +		    cfgno, inum, asnum);

So now we just ignore invalid descriptors here and let them pass?

confused,

greg k-h

Oliver Neukum April 11, 2024, 2:27 p.m. UTC | #2

On 11.04.24 16:11, Greg KH wrote:
> On Thu, Apr 11, 2024 at 02:42:59PM +0200, Oliver Neukum wrote:
>> We have to ignore the higher bits in bEndpointAddress
> 
> Why?

Because if we do not, we are breaking compatibility with all future
standards that use those bits in backwards compatible manner.

	Regards
		Oliver

Greg KH April 11, 2024, 2:58 p.m. UTC | #3

On Thu, Apr 11, 2024 at 04:27:26PM +0200, Oliver Neukum wrote:
> On 11.04.24 16:11, Greg KH wrote:
> > On Thu, Apr 11, 2024 at 02:42:59PM +0200, Oliver Neukum wrote:
> > > We have to ignore the higher bits in bEndpointAddress
> > 
> > Why?
> 
> Because if we do not, we are breaking compatibility with all future
> standards that use those bits in backwards compatible manner.

Ok, that's great, then say that in the changelog please :)

thanks,

greg k-h

Alan Stern April 11, 2024, 3:35 p.m. UTC | #4

On Thu, Apr 11, 2024 at 02:42:59PM +0200, Oliver Neukum wrote:
> We have to ignore the higher bits in bEndpointAddress

Mention that these bits are reserved.  That's why we ought to ignore 
them.

Also, this is not really an example of hardening; it's more like 
future-proofing the code.  The existing code will work fine with a 
malicious device; your real concern is about possible changes to the 
spec in the future.

> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> ---
>  drivers/usb/core/config.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 7f8d33f92ddb..c7056b123d46 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -279,11 +279,11 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno,
>  		goto skip_to_next_endpoint_or_interface_descriptor;
>  	}
>  
> -	i = d->bEndpointAddress & ~USB_ENDPOINT_DIR_MASK;
> -	if (i >= 16 || i == 0) {
> +	i = d->bEndpointAddress & 0x0f;

Use USB_ENDPOINT_NUMBER_MASK, not 0x0f.

> +	if (i == 0) {
>  		dev_notice(ddev, "config %d interface %d altsetting %d has an "
> -		    "invalid endpoint with address 0x%X, skipping\n",
> -		    cfgno, inum, asnum, d->bEndpointAddress);
> +		    "invalid descriptor for the common control endpoint, skipping\n",

It would be clearer to say "endpoint 0" instead of "the common control 
endpoint".  (The spec uses that phrase; it doesn't mean this is the best 
way of saying it.)

> +		    cfgno, inum, asnum);
>  		goto skip_to_next_endpoint_or_interface_descriptor;
>  	}

Otherwise this is okay.

Alan Stern

Oliver Neukum April 11, 2024, 3:40 p.m. UTC | #5

On 11.04.24 17:35, Alan Stern wrote:
> On Thu, Apr 11, 2024 at 02:42:59PM +0200, Oliver Neukum wrote:
>> We have to ignore the higher bits in bEndpointAddress
> 
> Mention that these bits are reserved.  That's why we ought to ignore
> them.

OK

> Also, this is not really an example of hardening; it's more like
> future-proofing the code.  The existing code will work fine with a
> malicious device; your real concern is about possible changes to the
> spec in the future.

It seemed to me like a vector for a DoS, but in hindsight, yes I'll
take it out of the series.

	Regards
		Oliver

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 7f8d33f92ddb..c7056b123d46 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -279,11 +279,11 @@  static int usb_parse_endpoint(struct device *ddev, int cfgno,
 		goto skip_to_next_endpoint_or_interface_descriptor;
 	}
 
-	i = d->bEndpointAddress & ~USB_ENDPOINT_DIR_MASK;
-	if (i >= 16 || i == 0) {
+	i = d->bEndpointAddress & 0x0f;
+	if (i == 0) {
 		dev_notice(ddev, "config %d interface %d altsetting %d has an "
-		    "invalid endpoint with address 0x%X, skipping\n",
-		    cfgno, inum, asnum, d->bEndpointAddress);
+		    "invalid descriptor for the common control endpoint, skipping\n",
+		    cfgno, inum, asnum);
 		goto skip_to_next_endpoint_or_interface_descriptor;
 	}

[RFC,1/6] usb: usb_parse_endpoint ignore reserved bits

Commit Message

Comments

Patch