From patchwork Thu Apr 11 12:42:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Oliver Neukum <oneukum@suse.com>
X-Patchwork-Id: 13625938
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AD0013E88B
	for <linux-usb@vger.kernel.org>; Thu, 11 Apr 2024 12:47:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=195.135.223.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712839651; cv=none;
 b=ptxXr6N53nx5Udto39jf10405a33v8Vji5o2dUCsUq48R1SLjpY82xU9ObB1xs2Pk5oLXCZnd3h/Gv+P0nUZwPOtfQK4v1Oh7lHqFA+wUI+3RKmFcCXAcx3257Ug3yRhTfYr9vRaHwKzj2k5NGeHYOL0uE7ULC6w+okkzbRcIss=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712839651; c=relaxed/simple;
	bh=Fn8OtNhZ8WCWH0zzyi2PApZIAVDfRsFGEHVMvqMcYTg=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=M+83L359fyZJwv2YqkszmYv2joAUEQyEN+xV1T+Ti2rrm+kaQGvs5yMAf63YErRGqQ+4awiFBFhLXcSqxPXFZhloe2Ik5+ZiqgO5IKnoVidVB5fC42Rl589u0BEgA92fbO1nEJ6IrVq8ZQajtbUVWQlqtq/mr7VNjpiFZRE60CQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com;
 spf=pass smtp.mailfrom=suse.com;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=XqfUH3ng;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=Y6uWnMXQ; arc=none smtp.client-ip=195.135.223.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=suse.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="XqfUH3ng";
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="Y6uWnMXQ"
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org
 [10.150.64.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-out2.suse.de (Postfix) with ESMTPS id 9A4625C6D0;
	Thu, 11 Apr 2024 12:47:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839646;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=hasFfz2pcPB7nP7rzG7sl792Sg2ffR5b4jZpzagtiZQ=;
	b=XqfUH3ng+c7fTy3LrlG7iHgy1LhM6W/UjW5yyYAqfEmkjr/2hnK7osBwUamfvXzs5iL5w4
	/vsEdkrJpi1mNZtdELUUOgE41wPXLdJjYGxYbGAULU5zZnyN/8gkOI/ljddXqYtSMWGw3V
	EV3nbE9wae0EKLzUC1C/sh3rpoZkDwo=
Authentication-Results: smtp-out2.suse.de;
	none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839645;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=hasFfz2pcPB7nP7rzG7sl792Sg2ffR5b4jZpzagtiZQ=;
	b=Y6uWnMXQ5XDGTN05f80/iXg+QeBEW+d5mN5NovcqnWA0AzaNOkflu2Dlgk4HQfISnqAfJH
	qMXznrTqwiChBlogFTLA0goKiWPpWJET+qEkCqzk+7WmQVgdZyWKecWcAzDZho5INaETz2
	wyKzXoJZtJPw9f2N3V6nRbMQksEz/nA=
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 6CB92139E2;
	Thu, 11 Apr 2024 12:47:25 +0000 (UTC)
Received: from dovecot-director2.suse.de ([10.150.64.162])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id ELV8GN3bF2brIQAAD6G6ig
	(envelope-from <oneukum@suse.com>); Thu, 11 Apr 2024 12:47:25 +0000
From: Oliver Neukum <oneukum@suse.com>
To: linux-usb@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>
Subject: [RFC 1/6] usb: usb_parse_endpoint ignore reserved bits
Date: Thu, 11 Apr 2024 14:42:59 +0200
Message-ID: <20240411124722.17343-2-oneukum@suse.com>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20240411124722.17343-1-oneukum@suse.com>
References: <20240411124722.17343-1-oneukum@suse.com>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Spam-Flag: NO
X-Spam-Score: 0.16
X-Spam-Level: 
X-Spamd-Result: default: False [0.16 / 50.00];
	MID_CONTAINS_FROM(1.00)[];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	R_MISSING_CHARSET(0.50)[];
	NEURAL_HAM_SHORT(-0.20)[-1.000];
	MIME_GOOD(-0.10)[text/plain];
	BAYES_HAM(-0.04)[59.07%];
	ARC_NA(0.00)[];
	DKIM_SIGNED(0.00)[suse.com:s=susede1];
	MIME_TRACE(0.00)[0:+];
	RCPT_COUNT_TWO(0.00)[2];
	FUZZY_BLOCKED(0.00)[rspamd.com];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCVD_TLS_ALL(0.00)[];
	DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]

We have to ignore the higher bits in bEndpointAddress

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/core/config.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 7f8d33f92ddb..c7056b123d46 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -279,11 +279,11 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno,
 		goto skip_to_next_endpoint_or_interface_descriptor;
 	}
 
-	i = d->bEndpointAddress & ~USB_ENDPOINT_DIR_MASK;
-	if (i >= 16 || i == 0) {
+	i = d->bEndpointAddress & 0x0f;
+	if (i == 0) {
 		dev_notice(ddev, "config %d interface %d altsetting %d has an "
-		    "invalid endpoint with address 0x%X, skipping\n",
-		    cfgno, inum, asnum, d->bEndpointAddress);
+		    "invalid descriptor for the common control endpoint, skipping\n",
+		    cfgno, inum, asnum);
 		goto skip_to_next_endpoint_or_interface_descriptor;
 	}
 

From patchwork Thu Apr 11 12:43:00 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Oliver Neukum <oneukum@suse.com>
X-Patchwork-Id: 13625933
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 36DD0EECC
	for <linux-usb@vger.kernel.org>; Thu, 11 Apr 2024 12:47:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=195.135.223.130
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712839650; cv=none;
 b=nXgeHQFq1iMEZEMlmCOXAB8M3lQm1+63XDCTxCykhJFFpM0+sZzg5MLDPeup/1aQpmnc6FDPBhfrWRilWdpERqMz94/SJ7xoLMJa8ZuRWX5peJ87egrjCTLc/t/z2/K575qAw8BeUPUAmUtCNMzD+esZIblX0kCylNtlZIgIx5M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712839650; c=relaxed/simple;
	bh=u/TGSKh4U4JXr69+3nznJBHTVEOZwnRRriGPX1aiYp4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=kXuej0TT8EY/MmEDu4Frot6UgA0fTK7KWdflfQMPmFxHO/zeFU18AcZSdS5DRJuPhbvyqD/O546gmAdRErlER6ZwcwG9D9wgcQU9UVG7xatMt5DQkGySY8NCL5dijg+YMR24p8hN3c7izIgYHHaQFK8yWSJ57GH7AeZF4zyMj10=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com;
 spf=pass smtp.mailfrom=suse.com;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=kMpNvG3u;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=QWnEOICn; arc=none smtp.client-ip=195.135.223.130
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=suse.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="kMpNvG3u";
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="QWnEOICn"
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org
 [IPv6:2a07:de40:b281:104:10:150:64:97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-out1.suse.de (Postfix) with ESMTPS id CDB7921A5C;
	Thu, 11 Apr 2024 12:47:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839646;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=zTFtpcm3AXKV9K6xx1m8dHoUrT6y91CZsjlxlVEfkLY=;
	b=kMpNvG3uiFmrjXEGxBC+XCCl0Vbo8jH9AQw6p2gkyoAxkELloHLelT/iKCtn8Jq1/DInAA
	A5j+7XSasZxLRB7g1jd8qw1PE/82T0RDj0aCyjJvoT2kLNKYJr9r/SjEy+Ci1iStoN0uXN
	0gtHnluWMFuEz6MBYeetIBLeSVU1MAo=
Authentication-Results: smtp-out1.suse.de;
	dkim=pass header.d=suse.com header.s=susede1 header.b=QWnEOICn
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839645;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=zTFtpcm3AXKV9K6xx1m8dHoUrT6y91CZsjlxlVEfkLY=;
	b=QWnEOICntRRK2z0+bADpz97x9cFPtPpfdR5U7XKAfHO0tl5zQQlIQAT33rDe3KljT16rdu
	3K3xRqkYXc0x3DCOGGtsicP1Q4Peee+kVGoCAA517eeUdJE7EcmgVrGTsv/kj4TqaZBdhJ
	AUw+WZClX6aEbA+428EyqPzmE/LuYtM=
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id A25B213A17;
	Thu, 11 Apr 2024 12:47:25 +0000 (UTC)
Received: from dovecot-director2.suse.de ([10.150.64.162])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id MNuIJd3bF2brIQAAD6G6ig
	(envelope-from <oneukum@suse.com>); Thu, 11 Apr 2024 12:47:25 +0000
From: Oliver Neukum <oneukum@suse.com>
To: linux-usb@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>
Subject: [RFC 2/6] usb: avoid overrunning a buffer in usb_parse_interface
Date: Thu, 11 Apr 2024 14:43:00 +0200
Message-ID: <20240411124722.17343-3-oneukum@suse.com>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20240411124722.17343-1-oneukum@suse.com>
References: <20240411124722.17343-1-oneukum@suse.com>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Spam-Level: 
X-Spamd-Result: default: False [-0.01 / 50.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	MID_CONTAINS_FROM(1.00)[];
	R_MISSING_CHARSET(0.50)[];
	R_DKIM_ALLOW(-0.20)[suse.com:s=susede1];
	NEURAL_HAM_SHORT(-0.20)[-1.000];
	MIME_GOOD(-0.10)[text/plain];
	MX_GOOD(-0.01)[];
	BAYES_HAM(-0.00)[32.01%];
	ARC_NA(0.00)[];
	FUZZY_BLOCKED(0.00)[rspamd.com];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	TO_DN_SOME(0.00)[];
	MIME_TRACE(0.00)[0:+];
	RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from];
	RCPT_COUNT_TWO(0.00)[2];
	DKIM_SIGNED(0.00)[suse.com:s=susede1];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];
	RCVD_TLS_ALL(0.00)[];
	DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.com:dkim,suse.com:email];
	RCVD_COUNT_TWO(0.00)[2];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DKIM_TRACE(0.00)[suse.com:+]
X-Spam-Flag: NO
X-Spam-Score: -0.01
X-Spamd-Bar: /
X-Rspamd-Queue-Id: CDB7921A5C
X-Rspamd-Server: rspamd2.dmz-prg2.suse.org
X-Rspamd-Action: no action

We must not touch bDescriptorType if it is not within our buffer.
To guarantee that we have to be sure the first two bytes of the
descriptor are within the buffer.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
---
 drivers/usb/core/config.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index c7056b123d46..5891652b6202 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -575,7 +575,7 @@ static int usb_parse_interface(struct device *ddev, int cfgno,
 
 	/* Parse all the endpoint descriptors */
 	n = 0;
-	while (size > 0) {
+	while (size >= sizeof(struct usb_descriptor_header)) { /* minimum length to get bDescriptorType */
 		if (((struct usb_descriptor_header *) buffer)->bDescriptorType
 		     == USB_DT_INTERFACE)
 			break;

From patchwork Thu Apr 11 12:43:01 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Oliver Neukum <oneukum@suse.com>
X-Patchwork-Id: 13625937
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 36E7213D638
	for <linux-usb@vger.kernel.org>; Thu, 11 Apr 2024 12:47:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=195.135.223.130
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712839651; cv=none;
 b=jRebAYxTaB3SNnhev4vAPz2ZA5ZVtj79Bqe+2MlQVib3eKv08sBPSAtza92ggPstF57WJWurgCXrNBrNCo9TaKcVmaTc8+rq7xRlv4L0yEFHF+jIYBlBWW2+3YfCiFKecHaSz0x0uipCH2cGdWadOrgBqdhZC+RmtOz5LX/QjBk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712839651; c=relaxed/simple;
	bh=3ja3DorwfleiSMmr6110yObOb8WN3kDd93hsVqD5904=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=iPhvPeJpmskYPcTCvZrmJV2tWE4yLpfP3wadRKSUFkoGwNe9knB+3fg9CUvyUo2KwjskB8yHDmAeG1fqLcp1P5Dul/FxtYaqSskrkVvNsFLzbih7X1QpLwU83JO743RfoV5A9GSpZJ24ff5bAnQwq1woKaedl9IZJNNZOlfdE0M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com;
 spf=pass smtp.mailfrom=suse.com;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=YQhoNpyp;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=YQhoNpyp; arc=none smtp.client-ip=195.135.223.130
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=suse.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="YQhoNpyp";
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="YQhoNpyp"
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org
 [10.150.64.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-out1.suse.de (Postfix) with ESMTPS id 0F4C921A62;
	Thu, 11 Apr 2024 12:47:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839646;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=zDQa4pXZRpgvnsG48uOE9kx2pZ4qBnQm5yGe74WcH3Y=;
	b=YQhoNpypDHXboNVAVXClfwvFFjVm8AZORLD/b+gxug5gKuBd1IdkEBtKfQoqJjN5P1ZZuE
	wDZfgHcOifW+hwR5fmhFIzlw4Sy9bNI9d5DLSsINXn4BNrTP32zy24HK5jZwjVR0TAR6Di
	xKPb6CeD8T/QsCcInPMVZJuPAkQy0MI=
Authentication-Results: smtp-out1.suse.de;
	none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839646;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=zDQa4pXZRpgvnsG48uOE9kx2pZ4qBnQm5yGe74WcH3Y=;
	b=YQhoNpypDHXboNVAVXClfwvFFjVm8AZORLD/b+gxug5gKuBd1IdkEBtKfQoqJjN5P1ZZuE
	wDZfgHcOifW+hwR5fmhFIzlw4Sy9bNI9d5DLSsINXn4BNrTP32zy24HK5jZwjVR0TAR6Di
	xKPb6CeD8T/QsCcInPMVZJuPAkQy0MI=
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id D75EC13A1D;
	Thu, 11 Apr 2024 12:47:25 +0000 (UTC)
Received: from dovecot-director2.suse.de ([10.150.64.162])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id uNl8Mt3bF2brIQAAD6G6ig
	(envelope-from <oneukum@suse.com>); Thu, 11 Apr 2024 12:47:25 +0000
From: Oliver Neukum <oneukum@suse.com>
To: linux-usb@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>
Subject: [RFC 3/6] usb: usb_parse_endpoint needs to guard against short
 descriptors
Date: Thu, 11 Apr 2024 14:43:01 +0200
Message-ID: <20240411124722.17343-4-oneukum@suse.com>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20240411124722.17343-1-oneukum@suse.com>
References: <20240411124722.17343-1-oneukum@suse.com>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Spam-Flag: NO
X-Spam-Score: 0.20
X-Spam-Level: 
X-Spamd-Result: default: False [0.20 / 50.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	MID_CONTAINS_FROM(1.00)[];
	R_MISSING_CHARSET(0.50)[];
	NEURAL_HAM_SHORT(-0.20)[-1.000];
	MIME_GOOD(-0.10)[text/plain];
	BAYES_HAM(-0.00)[40.92%];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	MIME_TRACE(0.00)[0:+];
	ARC_NA(0.00)[];
	DKIM_SIGNED(0.00)[suse.com:s=susede1];
	FUZZY_BLOCKED(0.00)[rspamd.com];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns];
	RCVD_TLS_ALL(0.00)[]

If a malicious device gives us a descriptor of zero length
we'll go into an infinite loop. We have to check and do
a hard bailout.
If we get a descriptor of length < 2 we'll parse the next
descriptor as part of the current descriptor. We need to check.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/core/config.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 5891652b6202..050cd5066ccf 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -265,6 +265,9 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno,
 	const unsigned short *maxpacket_maxes;
 
 	d = (struct usb_endpoint_descriptor *) buffer;
+	if (d->bLength < sizeof(struct usb_descriptor_header)) /* this amounts to sabotage */
+		return -EINVAL;
+
 	buffer += d->bLength;
 	size -= d->bLength;
 

From patchwork Thu Apr 11 12:43:02 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Oliver Neukum <oneukum@suse.com>
X-Patchwork-Id: 13625935
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AD57143C76
	for <linux-usb@vger.kernel.org>; Thu, 11 Apr 2024 12:47:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=195.135.223.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712839650; cv=none;
 b=ZFCaXtWutbYaWt6WArsutdoWMdwIawkCuGPN0mzo6qbJ4rQJ2C5en2ysVt35dmi/GMuU3plEWh286M4buxl5TnIaVrOFSAlEqRiCWwATTnvVu8cbU/hzlNed1CGS7HPnMm1pnWk6Q96eLKDlbk4eWf6k8jfmo+8uf5coLCnqUjw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712839650; c=relaxed/simple;
	bh=CiQIDEFIWB5VZzFPPLfc88TyYabppV8vqrgcnm6xAds=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=UWQC/QUhq2HyrAMFGT/1snIhrV9BjSRhJSQ0nyvIK3vdcI1RZueHKUkoMg8FCiIevfcOJmEFSeRoN9VoH2Lj96vBECGXgwO0ox9tEuGV2ojwJ4FvSUYFw/z2spEXRYVnb3/4MOibKp+bx5DDlVbnf/HdTeNHoVg9207tnsrz82A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com;
 spf=pass smtp.mailfrom=suse.com;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=okRqMagY;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=okRqMagY; arc=none smtp.client-ip=195.135.223.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=suse.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="okRqMagY";
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="okRqMagY"
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org
 [10.150.64.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-out2.suse.de (Postfix) with ESMTPS id 421E55C6BE;
	Thu, 11 Apr 2024 12:47:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839646;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=dPfnNf5yVNNLb1kwQ5v5wCznZ0z7XRP2KzVLldzXKT0=;
	b=okRqMagYAqAXLE1LSYuKjh5yK6D7RR/GGtI68cBwcT/ZTBE9AATbOg7dYiS3uFM1WA7C+M
	OWFQ8uiOwTwZ9ogqZc+SQGKurLZWpHQZuJw5l7a2EPqq3HppwVIqlJj0vVb4wGax88wbX/
	yj64RKj7jDFUPl08rbuN3U08kgGEex8=
Authentication-Results: smtp-out2.suse.de;
	none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839646;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=dPfnNf5yVNNLb1kwQ5v5wCznZ0z7XRP2KzVLldzXKT0=;
	b=okRqMagYAqAXLE1LSYuKjh5yK6D7RR/GGtI68cBwcT/ZTBE9AATbOg7dYiS3uFM1WA7C+M
	OWFQ8uiOwTwZ9ogqZc+SQGKurLZWpHQZuJw5l7a2EPqq3HppwVIqlJj0vVb4wGax88wbX/
	yj64RKj7jDFUPl08rbuN3U08kgGEex8=
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 1802C13A1F;
	Thu, 11 Apr 2024 12:47:26 +0000 (UTC)
Received: from dovecot-director2.suse.de ([10.150.64.162])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id sM26A97bF2brIQAAD6G6ig
	(envelope-from <oneukum@suse.com>); Thu, 11 Apr 2024 12:47:26 +0000
From: Oliver Neukum <oneukum@suse.com>
To: linux-usb@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>
Subject: [RFC 4/6] usb: usb_parse_endpoint guard against an incromprehensible
 preamble
Date: Thu, 11 Apr 2024 14:43:02 +0200
Message-ID: <20240411124722.17343-5-oneukum@suse.com>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20240411124722.17343-1-oneukum@suse.com>
References: <20240411124722.17343-1-oneukum@suse.com>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Spam-Level: 
X-Spamd-Result: default: False [0.19 / 50.00];
	MID_CONTAINS_FROM(1.00)[];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	R_MISSING_CHARSET(0.50)[];
	NEURAL_HAM_SHORT(-0.20)[-1.000];
	MIME_GOOD(-0.10)[text/plain];
	BAYES_HAM(-0.01)[47.77%];
	ARC_NA(0.00)[];
	DKIM_SIGNED(0.00)[suse.com:s=susede1];
	MIME_TRACE(0.00)[0:+];
	RCPT_COUNT_TWO(0.00)[2];
	FUZZY_BLOCKED(0.00)[rspamd.com];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCVD_TLS_ALL(0.00)[];
	DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]
X-Spam-Score: 0.19
X-Spam-Flag: NO

usb_parse_endpoint processes an endpoint descriptor and then
advances the parser to the next endpoint descriptor.
However, a malicious device could feature something other than
an endpoint descriptor after the interface descriptor

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/core/config.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 050cd5066ccf..055910fc6b19 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -271,6 +271,8 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno,
 	buffer += d->bLength;
 	size -= d->bLength;
 
+	if (d->bDescriptorType != USB_DT_ENDPOINT)
+		goto skip_to_next_endpoint_or_interface_descriptor;
 	if (d->bLength >= USB_DT_ENDPOINT_AUDIO_SIZE)
 		n = USB_DT_ENDPOINT_AUDIO_SIZE;
 	else if (d->bLength >= USB_DT_ENDPOINT_SIZE)

From patchwork Thu Apr 11 12:43:03 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Oliver Neukum <oneukum@suse.com>
X-Patchwork-Id: 13625936
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AD9A145330
	for <linux-usb@vger.kernel.org>; Thu, 11 Apr 2024 12:47:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=195.135.223.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712839650; cv=none;
 b=hO1MLeoi6Z2rG75nJRjtFACqP/fm1EFovJuw/jQ+5NeG7CVmbN5GpvHyrG0R6o3iPtxaq7kfgrhfwb15vhIrsVQz3pvSk2aBTTjhsSBiXJ4sqR87MDjRryYOypwPZs/PhfPkinlA1AQL8dh+6a0NDNaNc+IaLVfjaO58mELCrsI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712839650; c=relaxed/simple;
	bh=ZLCL43J0c8HZaksF1ocYem1Jf9es7cHB7sLbyixYwcI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=s8j7fz4U5moyIfjzdvg9slJ41PBlJ6lvM5Q/JhT2UHK4KEheL1NgjwT3O0I6n0GCYgl2OTHsXPjByxDZoo8QkWUIH/5OiqEweXmX6037CyXkPV2FtbfO+PTvHqBeNXJ7WqzoOasPY8cEx+PW1XDKYCv+PPy6kMtwtqfrE79OZo0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com;
 spf=pass smtp.mailfrom=suse.com;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=lBcOitct;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=lBcOitct; arc=none smtp.client-ip=195.135.223.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=suse.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="lBcOitct";
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="lBcOitct"
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org
 [10.150.64.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-out2.suse.de (Postfix) with ESMTPS id 9F9505C6D8;
	Thu, 11 Apr 2024 12:47:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839646;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=2u656ARdXcneYuWL64AJCze56MdnOecQZQ+Cy/ZCYr0=;
	b=lBcOitctNnqbmvKpg/vgXuoz8/PbGEQWGu2k/yCvsVEME71V7OpgT10nX3qBPBchz6jpOx
	7ePGqConCMrFvpCLvbY6+3kMYcj5BIrt4AqRPPgsaprVRmWzEzgogce4VLGOiT4u0oH9vT
	CQ28Hvgk+8i6xNHxSKaoQagyPBvuAfQ=
Authentication-Results: smtp-out2.suse.de;
	none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839646;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=2u656ARdXcneYuWL64AJCze56MdnOecQZQ+Cy/ZCYr0=;
	b=lBcOitctNnqbmvKpg/vgXuoz8/PbGEQWGu2k/yCvsVEME71V7OpgT10nX3qBPBchz6jpOx
	7ePGqConCMrFvpCLvbY6+3kMYcj5BIrt4AqRPPgsaprVRmWzEzgogce4VLGOiT4u0oH9vT
	CQ28Hvgk+8i6xNHxSKaoQagyPBvuAfQ=
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 4CD9D13A20;
	Thu, 11 Apr 2024 12:47:26 +0000 (UTC)
Received: from dovecot-director2.suse.de ([10.150.64.162])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id 2COjEN7bF2brIQAAD6G6ig
	(envelope-from <oneukum@suse.com>); Thu, 11 Apr 2024 12:47:26 +0000
From: Oliver Neukum <oneukum@suse.com>
To: linux-usb@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>
Subject: [RFC 5/6] usb: usb_parse_endpoint must not count duplicated endpoints
Date: Thu, 11 Apr 2024 14:43:03 +0200
Message-ID: <20240411124722.17343-6-oneukum@suse.com>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20240411124722.17343-1-oneukum@suse.com>
References: <20240411124722.17343-1-oneukum@suse.com>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Spam-Level: 
X-Spamd-Result: default: False [0.20 / 50.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	MID_CONTAINS_FROM(1.00)[];
	R_MISSING_CHARSET(0.50)[];
	NEURAL_HAM_SHORT(-0.20)[-1.000];
	MIME_GOOD(-0.10)[text/plain];
	BAYES_HAM(-0.00)[13.30%];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	MIME_TRACE(0.00)[0:+];
	ARC_NA(0.00)[];
	DKIM_SIGNED(0.00)[suse.com:s=susede1];
	FUZZY_BLOCKED(0.00)[rspamd.com];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns];
	RCVD_TLS_ALL(0.00)[]
X-Spam-Score: 0.20
X-Spam-Flag: NO

When an interface is parsed the number of endpoints claimed to exist
is compared to the number of endpoint descriptors actually found.
Duplicated endpoints are not parsed in usb_parse_endpoint but
usb_parse_interface counts them. That makes no sense.
To correct this usb_parse_endpoint needs to return feedback
about the validity of parsed endpoints.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/core/config.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 055910fc6b19..50acc9021247 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -254,7 +254,7 @@ static bool config_endpoint_is_duplicate(struct usb_host_config *config,
 static int usb_parse_endpoint(struct device *ddev, int cfgno,
 		struct usb_host_config *config, int inum, int asnum,
 		struct usb_host_interface *ifp, int num_ep,
-		unsigned char *buffer, int size)
+		unsigned char *buffer, int size, bool *valid)
 {
 	struct usb_device *udev = to_usb_device(ddev);
 	unsigned char *buffer0 = buffer;
@@ -270,6 +270,7 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno,
 
 	buffer += d->bLength;
 	size -= d->bLength;
+	*valid = false;
 
 	if (d->bDescriptorType != USB_DT_ENDPOINT)
 		goto skip_to_next_endpoint_or_interface_descriptor;
@@ -313,6 +314,7 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno,
 		}
 	}
 
+	*valid = true;
 	endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
 	++ifp->desc.bNumEndpoints;
 
@@ -581,14 +583,17 @@ static int usb_parse_interface(struct device *ddev, int cfgno,
 	/* Parse all the endpoint descriptors */
 	n = 0;
 	while (size >= sizeof(struct usb_descriptor_header)) { /* minimum length to get bDescriptorType */
+		bool valid;
+
 		if (((struct usb_descriptor_header *) buffer)->bDescriptorType
 		     == USB_DT_INTERFACE)
 			break;
 		retval = usb_parse_endpoint(ddev, cfgno, config, inum, asnum,
-				alt, num_ep, buffer, size);
+				alt, num_ep, buffer, size, &valid);
 		if (retval < 0)
 			return retval;
-		++n;
+		if (valid)
+			++n;
 
 		buffer += retval;
 		size -= retval;

From patchwork Thu Apr 11 12:43:04 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Oliver Neukum <oneukum@suse.com>
X-Patchwork-Id: 13625934
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 59BA0145FE6
	for <linux-usb@vger.kernel.org>; Thu, 11 Apr 2024 12:47:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=195.135.223.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712839650; cv=none;
 b=ClrIUSc9BLGqSin5G0DAbj3WYvdT/Ki3WnOkSW5OzqXfdI8G15+i9azjQwVCknI2AQh3FEzslxmBdFfVnYrtPRPz/lG+TpVsmHy/U/Jdp5IA1TngmOZtFxFbf7dlome2faA61JU2LlYXtatKMZbL+9MFo2S/1QmvPfsjpYHzGkA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712839650; c=relaxed/simple;
	bh=nfYDCQZTBswamJ4EEmrHq7URaY7nSfhEMZ+Rcg//E/A=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=CPzyEcN5muVYpbpZF60dqQmT4nReePF4KAzm8Sxwpqoo8VRb/IMvcGfr5N2JNCGJOO9hVyQKHbz/yIkDAHbXK+QgopVl6ycLKXDaL18c8xFEVv4vtuzkA0qbNHjEC/c1XU70BZTNiDK/4h0JZSxnPJyETjbPmlAe4lqkZUFcdH8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com;
 spf=pass smtp.mailfrom=suse.com;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=k3R/q/rZ;
 dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b=k3R/q/rZ; arc=none smtp.client-ip=195.135.223.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=suse.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="k3R/q/rZ";
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com
 header.b="k3R/q/rZ"
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org
 [IPv6:2a07:de40:b281:104:10:150:64:97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-out2.suse.de (Postfix) with ESMTPS id A8FCE5C6DA;
	Thu, 11 Apr 2024 12:47:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839646;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=hbI1S2oSXk3aYsiAEv2KZUE1zXbtjU8K5JsiwlTZMHs=;
	b=k3R/q/rZO9tzB8lwk6ZaZ3RKcSbThi2QtA7PNmqvq/FsYwVFOEulsWH071EldHHWP+YC1u
	NaafRElSHsSwZq6gehEOxJMWlcMlUjK/G2jUIe0XqxIfBbji0+XXdd3ziCVNtkrmisEViW
	r4DBmbPaQ/sdGLW0WpsRrxiMTN+8Esg=
Authentication-Results: smtp-out2.suse.de;
	dkim=pass header.d=suse.com header.s=susede1 header.b="k3R/q/rZ"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1712839646;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=hbI1S2oSXk3aYsiAEv2KZUE1zXbtjU8K5JsiwlTZMHs=;
	b=k3R/q/rZO9tzB8lwk6ZaZ3RKcSbThi2QtA7PNmqvq/FsYwVFOEulsWH071EldHHWP+YC1u
	NaafRElSHsSwZq6gehEOxJMWlcMlUjK/G2jUIe0XqxIfBbji0+XXdd3ziCVNtkrmisEViW
	r4DBmbPaQ/sdGLW0WpsRrxiMTN+8Esg=
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 81C1A13A22;
	Thu, 11 Apr 2024 12:47:26 +0000 (UTC)
Received: from dovecot-director2.suse.de ([10.150.64.162])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id kG6JHd7bF2brIQAAD6G6ig
	(envelope-from <oneukum@suse.com>); Thu, 11 Apr 2024 12:47:26 +0000
From: Oliver Neukum <oneukum@suse.com>
To: linux-usb@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>
Subject: [RFC 6/6] usb: config: find_next_descriptor can overflow buffer
Date: Thu, 11 Apr 2024 14:43:04 +0200
Message-ID: <20240411124722.17343-7-oneukum@suse.com>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20240411124722.17343-1-oneukum@suse.com>
References: <20240411124722.17343-1-oneukum@suse.com>
Precedence: bulk
X-Mailing-List: linux-usb@vger.kernel.org
List-Id: <linux-usb.vger.kernel.org>
List-Subscribe: <mailto:linux-usb+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-usb+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Spam-Level: 
X-Spamd-Result: default: False [-0.01 / 50.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	MID_CONTAINS_FROM(1.00)[];
	R_MISSING_CHARSET(0.50)[];
	R_DKIM_ALLOW(-0.20)[suse.com:s=susede1];
	NEURAL_HAM_SHORT(-0.20)[-1.000];
	MIME_GOOD(-0.10)[text/plain];
	MX_GOOD(-0.01)[];
	BAYES_HAM(-0.00)[32.26%];
	ARC_NA(0.00)[];
	FUZZY_BLOCKED(0.00)[rspamd.com];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	TO_DN_SOME(0.00)[];
	MIME_TRACE(0.00)[0:+];
	RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from];
	RCPT_COUNT_TWO(0.00)[2];
	DKIM_SIGNED(0.00)[suse.com:s=susede1];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];
	RCVD_TLS_ALL(0.00)[];
	DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.com:dkim,suse.com:email];
	RCVD_COUNT_TWO(0.00)[2];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DKIM_TRACE(0.00)[suse.com:+]
X-Spam-Flag: NO
X-Spam-Score: -0.01
X-Spamd-Bar: /
X-Rspamd-Queue-Id: A8FCE5C6DA
X-Rspamd-Server: rspamd2.dmz-prg2.suse.org
X-Rspamd-Action: no action

If you parse a data structure you cannot
just test whether the remainder of your buffer holds
data. It needs to hold a full data structure.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/core/config.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 50acc9021247..43c5ed256e6e 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -32,7 +32,7 @@ static int find_next_descriptor(unsigned char *buffer, int size,
 	unsigned char *buffer0 = buffer;
 
 	/* Find the next descriptor of type dt1 or dt2 */
-	while (size > 0) {
+	while (size >= sizeof(struct usb_descriptor_header)) {
 		h = (struct usb_descriptor_header *) buffer;
 		if (h->bDescriptorType == dt1 || h->bDescriptorType == dt2)
 			break;