From patchwork Thu Dec  9 15:33:29 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Oliver Neukum <oneukum@suse.com>
X-Patchwork-Id: 12666747
Return-Path: <linux-usb-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A6C2EC433F5
	for <linux-usb@archiver.kernel.org>; Thu,  9 Dec 2021 15:33:35 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235583AbhLIPhI (ORCPT <rfc822;linux-usb@archiver.kernel.org>);
        Thu, 9 Dec 2021 10:37:08 -0500
Received: from de-smtp-delivery-102.mimecast.com ([194.104.109.102]:55022
 "EHLO
        de-smtp-delivery-102.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S235464AbhLIPhI (ORCPT
        <rfc822;linux-usb@vger.kernel.org>); Thu, 9 Dec 2021 10:37:08 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com;
 s=mimecast20200619;
        t=1639064013;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:mime-version:mime-version:content-type:content-type;
        bh=TU9wBEVUTkFv33X4xCVj8Ur0dG8AefLXkRrjzUKrd8g=;
        b=bGcdETQb+OeCn1065BACyNmO2yGB3JmHVdqTSlTWRN2/25eJYrez+Th0U+GAi71Xrr88Iz
        l0EsUWmD7eBnSKM+SLJQPv7a7B9BugDdPe5kymGWqDhmQXwwHmEJtAcmLzUsifQcp1LO0k
        0wP+g9H+A1G40J3u1JcOnvChJ/zAQ+k=
Received: from EUR03-AM5-obe.outbound.protection.outlook.com
 (mail-am5eur03lp2057.outbound.protection.outlook.com [104.47.8.57]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 de-mta-9-reCzyUSZP5KH5Tlni_6UBg-1; Thu, 09 Dec 2021 16:33:32 +0100
X-MC-Unique: reCzyUSZP5KH5Tlni_6UBg-1
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=hIk1pXg4jHoYwUrHfseioHc9DAijORTxuJYuCn8LtXJ38uD9UEhVF3e6xQZsatswYR+vMP07OcS0LN3JXkYnz6qQQr/ZV/xwWXlLEOC2+17OHy+oqhhf5b6vfulQ4fCDodXO13dBfH5hAVHMK5HVwMvN8W06LLcMigZBSxT1gZZimjrUxCS7QGd0DanM+H55kD8ly55wXqpkWW/f/fmKz1HZF+Qh6b3Qn8HYZhch4h89sNgT0+QMQWIb3wqGxlBhsahLDS/0U/HoTA2GfukI4xcBAOZE/3fTk3L2BhRRo2ITgAEzXA7saWRIpOr2WXZGbvfnYVbHr9z+MDi9R0Getg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=TU9wBEVUTkFv33X4xCVj8Ur0dG8AefLXkRrjzUKrd8g=;
 b=ab5yL8azNS/7RW4+jLnwbphwIvY5acUWXursrIuZ0JLXGcKLPdj63/n/fHWtg3SplJH/VTy7NXyDOH3PHSMe7tW8jWzZwvLV+PetNi2KEQkhcnb4ZBaoCJGme1t2pWCm21rV9PrKu2+NdxcvBvztZ/FHi+YO9g43eOPuh13apIMyLy8oBbF80cg3mBCLZlh611qQN43HJXio34pXVmmRNVvfNtMHNn8N17RwbJqGCPH1oYv4NaIAGMjnDvIxSbt+Iksxn70POX59L6wnLHfYO/kQefBdHFY6tWodsPxAKz2P19MQTCtskQLpdC192fh18Ev3RXc4fh8J8D2OUuWP+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com;
 dkim=pass header.d=suse.com; arc=none
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=suse.com;
Received: from DB7PR04MB5050.eurprd04.prod.outlook.com (2603:10a6:10:22::23)
 by DB7PR04MB5402.eurprd04.prod.outlook.com (2603:10a6:10:8f::25) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4778.12; Thu, 9 Dec
 2021 15:33:31 +0000
Received: from DB7PR04MB5050.eurprd04.prod.outlook.com
 ([fe80::e9d6:1be9:d046:af1]) by DB7PR04MB5050.eurprd04.prod.outlook.com
 ([fe80::e9d6:1be9:d046:af1%7]) with mapi id 15.20.4755.024; Thu, 9 Dec 2021
 15:33:31 +0000
To: linux-usb@vger.kernel.org
From: Oliver Neukum <oneukum@suse.com>
Subject: [RFC]How else could a malicious device sabotage endpoints for usbnet
Message-ID: <ad1ee829-401a-d051-1da8-f9e01caa7b85@suse.com>
Date: Thu, 9 Dec 2021 16:33:29 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.12.0
Content-Language: en-US
X-ClientProxiedBy: AM5PR0701CA0016.eurprd07.prod.outlook.com
 (2603:10a6:203:51::26) To DB7PR04MB5050.eurprd04.prod.outlook.com
 (2603:10a6:10:22::23)
MIME-Version: 1.0
Received: from localhost.localdomain (2001:a61:3b82:1901:9d6b:5ffd:1b6b:2163)
 by AM5PR0701CA0016.eurprd07.prod.outlook.com (2603:10a6:203:51::26) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.24 via Frontend
 Transport; Thu, 9 Dec 2021 15:33:30 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: aeefc571-c5b0-4478-0cc1-08d9bb2940ec
X-MS-TrafficTypeDiagnostic: DB7PR04MB5402:EE_
X-Microsoft-Antispam-PRVS: 
 <DB7PR04MB540213B22B6CDC69577BC6C5C7709@DB7PR04MB5402.eurprd04.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7219;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 BJ1rw/KmXw9EWW5xaeWzS6+EtchsYqGLDytN7acGoo2mA5m3LpAQHn3/z16rqFXMLnyTzDIlnXXg9bwosVkYj13jLMjaKntVmSdrrkb+2FESNHTWju3+rZGim7nGaKBpm3xCIy7tPvRm436tZzfDattZccxZ0S4LWjprIFsJ567vBx9gn1RC6EQC/szUaZHTFwbYuSudKDCRzrXWhkdrf+yEk0Cs44kex/kkB8+2Tjdt0bsMPFzAYm2xFqZlSf1NKN4qhoeMLXdWbxmjbPg5M005Eaq3wLpe9537X8mv6ld2audOIgNAiF3bJr1mlXv6qJg7G2K/6vvnrTSr6qnpzBy+5O1xRD9hOcP/ZdGU4PhzP0ymYXIcRIT+z0Ca7JC/6a1TJZ7HcnWEcifPAnws7YHYCddsi7t9X9200F5ymW75AaIUdBHSoWoylToCOtKfV52XTqDJSAQUgcJsSUhXhwnvlBOYSgOymvq5V7uWO+F3vW97En3+bIoA8SmsSfPh6qGijdfuwta3QJ0iXZqQ3uOr8Derjol/kNKtauDq6QHJdOLH4o+RstauXs0Jdh6WLmaRVilFHFOLymKzdDTljSAW9k+nCBMo/dY11B32anjPQFaMQ8pJUX6Ef5zVlml5fureNZDYpRzbixsFtmaOLY0VT5qj2PEuA6fuSLmlJ9wnZ98WnZJUdtpnQzxt0fN+zqPffbsDVTLxPGR8vjPeywt9b6Hi8FbNGGrnaAiRgcGBz3C5aY60FQlV539pRFkHd5CDAsH1YNPEJ47rV1XUnw==
X-Forefront-Antispam-Report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB7PR04MB5050.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(36756003)(31696002)(33964004)(564344004)(6916009)(31686004)(86362001)(2616005)(6506007)(66946007)(186003)(235185007)(8676002)(6512007)(508600001)(38100700002)(66556008)(66476007)(6486002)(8936002)(2906002)(5660300002)(316002)(43740500002)(45980500001)(554374003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?MHo7P+0we/6hfs4SE7flbfQcdIKG?=
	=?utf-8?q?YZwHvx2bzacDIWKIgN2EuUBslsNkauYhNI6HjbmoL8p0IMCKcS1Sr5wFUvemGkHwe?=
	=?utf-8?q?XOqtDjLR4JAEJIfGgqiRLj8RNwKCv13nG/nGLmxIkgtHQN4OTskVsYd74cwXKxdBW?=
	=?utf-8?q?MxhSkpccZn5AJ0yFgYN9IVxlb0V2nsgMziiC/4ps6Pcxxc8/f47LP6EGqMB13zx8W?=
	=?utf-8?q?DsD70ku7NLAhunO6ahEEHOF2/ssCVqr9L2MKJVZi3Uk8niCbSQACDRqRM6qn0FSdZ?=
	=?utf-8?q?zNJtZUQF+3ehKRpM+On/dUmXz2Mx+yAFK+gI64B7BSfL0uKC3pZnh1XMEMfUuZF0G?=
	=?utf-8?q?Cb5Hm6fk+TlqkAGXWvdq09rHUthl36QiBL9l046jWZ9IQJOtTQNSxLfcp20B4mr1l?=
	=?utf-8?q?Lm89niByq/kil29sdDNySSRHsxm9eRFvqtwA1bE7Ost7nTE/4ljEQ5CCfxshVc5yE?=
	=?utf-8?q?wy7co8gzK6VMyXfTq8/zHPf12Uu8ZyoMu2/jlq0+KT6yWNWrtaTOuf/vrRDnPX9L4?=
	=?utf-8?q?zoN11cw5CI6WToMx1Ld2b8KpW5QrYWXMnELOSrhAHCgzkiu9BeT/HXD8BlWitkMEs?=
	=?utf-8?q?sM6h+x4+InhGzC0JFm2UODNc2FMhrlYUOjrHF8Wzrr4GOQVMFWdMjVK/Z00lP6lv6?=
	=?utf-8?q?z2iIBAR0K0W47hWxSxAXOdsPYeiHFNBgBsdrhx8uUBaJDFWkhGkALFM0MC+nvq9wc?=
	=?utf-8?q?6rKxs8yFIEc4Zc14JLmWjEpqudw5F5MUEOymzUZ1UGfjGGYWhm/fp2doyXJGIayWR?=
	=?utf-8?q?dpzqnRuRqe7AfXnsAdqMgefsNfgrVFSOoskZI/IibtxqLE2WDCoKpnqd8ima15C9k?=
	=?utf-8?q?e7vzPzjsPPUtKgNbo7BRVCvnITOOGj8zKMnkp2jgJ0KXfDEKFTciH3n3Ca9ROAVbl?=
	=?utf-8?q?7YoieDXMjHG10NLVo7ouG+BeQf/VK9siKE+gpYuOc1xiM42XPtVuWmWP6i1BzCt8r?=
	=?utf-8?q?FZgeiefP8UukSzsxz8+JwMOBU65utga1678hDbrLiYq+lRhwaIzJGWU/R+ae3zPIj?=
	=?utf-8?q?BqCK9YLIxbIgAXSYdQtCjmMLf/VWKG2kowVPCpGoLErqq0V5qK4FgKNuPE1qt3piE?=
	=?utf-8?q?d0eZQqbXHNJOk92QZB/VLm8mcnvWlTHPtb6FIOzX+2yqicab/1P3anhVP2MO0w9rU?=
	=?utf-8?q?Wd31SVDSw+im2n+poB4bF4FrCtx4HFPn9MgpaozETMrEeECQPgibtzB9Clis3jy7z?=
	=?utf-8?q?ya+cww1ZGBzKeEzaeGYnnQsFq9wXKx5bwfmprwgrP/PQ9BwiNU7w1F86UujCG4fXh?=
	=?utf-8?q?3Hhesto5HnuASMANHObraZqXu4V04K8mi86zFYguY3v/KMRccVQZRkQLHJPoDkRRt?=
	=?utf-8?q?9SaHO9uyPxH/oW/feVhJoenmylzQsi3WlLYwxNQrkBVJCuGHOxCROh11UQIHpFs7J?=
	=?utf-8?q?9H7P9pm/mQ7j51/dCDzkfCeifFp48XMfvWEy5sOnzkv6XKbRP2KN0krAfy30YO1OM?=
	=?utf-8?q?18vgRs4qQ7TTuff3Z3yodmy7/bX68JTvDt7H+5CxulNFQUwgvS8DqYemwUGiFp6tH?=
	=?utf-8?q?lzcnZr73NabpeUTf84aKnJcqQ+g7kHRBwpyvWLjme2Ip9esikW58HxYgFWZQIy0pZ?=
	=?utf-8?q?/7QIBP57AHlvxOp+zabBDdIOh0vrZfeuivbjut5zqswppFToCknm9Q=3D?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 aeefc571-c5b0-4478-0cc1-08d9bb2940ec
X-MS-Exchange-CrossTenant-AuthSource: DB7PR04MB5050.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2021 15:33:30.9309
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 fqoVwEYD3m/Bp/YiIkz4fqLNKf6vzCFM+8BDgvwhHRP2FTeb/D5qZokz8z/Oyq+bAUB43HlMfqvaXPeM3F4YyA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR04MB5402
Precedence: bulk
List-ID: <linux-usb.vger.kernel.org>
X-Mailing-List: linux-usb@vger.kernel.org

Hi,

I have checked for type, direction and number of endpoints.
But I keep thinking that I have overlooked a way to make broken
endpoint descriptors. Any suggestions?

    Regards
        Oliver

From 853e421630f82fb3b7005ad0b294c091a064ac39 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 18 Nov 2021 18:15:03 +0100
Subject: [PATCH] usbnet: sanity check for endpoint types

A malicious device can pretend to be a device with a known
configuration of endpoints yet present endpoints of the wrong type
or too few or none at all.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/net/usb/usbnet.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 9a6450f796dc..b1f93810a6f3 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -91,6 +91,31 @@ static const char * const usbnet_event_names[] = {
 	[EVENT_NO_IP_ALIGN]	   = "EVENT_NO_IP_ALIGN",
 };
 
+bool usbnet_validate_endpoints(struct usbnet *dev, struct usb_interface *intf, const struct driver_info *info)
+{
+	struct usb_host_interface *alt = intf->cur_altsetting;
+	struct usb_host_endpoint *e;
+	int num_endpoints = alt->desc.bNumEndpoints;
+
+	if (info->in > num_endpoints)
+		return false;
+	e = alt->endpoint + info->in;
+	if (!e)
+		return false;
+	if (!usb_endpoint_is_bulk_in(&e->desc))
+		return false;
+
+	if (info->out > num_endpoints)
+		return false;
+	e = alt->endpoint + info->out;
+	if (!e)
+		return false;
+	if (!usb_endpoint_is_bulk_out(&e->desc))
+		return false;
+
+	return true;
+}
+
 /* handles CDC Ethernet and many other network "bulk data" interfaces */
 int usbnet_get_endpoints(struct usbnet *dev, struct usb_interface *intf)
 {
@@ -1772,6 +1797,8 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
 	} else if (!info->in || !info->out)
 		status = usbnet_get_endpoints (dev, udev);
 	else {
+		if (!usbnet_validate_endpoints(dev, udev, info))
+			goto out3;
 		dev->in = usb_rcvbulkpipe (xdev, info->in);
 		dev->out = usb_sndbulkpipe (xdev, info->out);
 		if (!(info->flags & FLAG_NO_SETINT))
-- 
2.26.2