Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f3e95726 authored by Shuah Khan's avatar Shuah Khan Committed by Greg Kroah-Hartman
Browse files

usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input 



commit c6688ef9f29762e65bce325ef4acd6c675806366 upstream.

Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations. Validate early in get_pipe() and return
failure.

Reported-by: default avatarSecunia Research <vuln@secunia.com>
Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent b6dbace9

drivers/usb/usbip/stub_rx.c

+31 −4
Original line number Diff line number Diff line
@@ -336,11 +336,13 @@ static struct stub_priv *stub_priv_alloc(struct stub_device *sdev, 
	return priv;

}



static int get_pipe(struct stub_device *sdev, int epnum, int dir)

static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu)

{

	struct usb_device *udev = sdev->udev;

	struct usb_host_endpoint *ep;

	struct usb_endpoint_descriptor *epd = NULL;

	int epnum = pdu->base.ep;

	int dir = pdu->base.direction;



	if (epnum < 0 || epnum > 15)

		goto err_ret;
@@ -353,6 +355,15 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) 
		goto err_ret;



	epd = &ep->desc;



	/* validate transfer_buffer_length */

	if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {

		dev_err(&sdev->udev->dev,

			"CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n",

			pdu->u.cmd_submit.transfer_buffer_length);

		return -1;

	}



	if (usb_endpoint_xfer_control(epd)) {

		if (dir == USBIP_DIR_OUT)

			return usb_sndctrlpipe(udev, epnum);
@@ -375,6 +386,21 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) 
	}



	if (usb_endpoint_xfer_isoc(epd)) {

		/* validate packet size and number of packets */

		unsigned int maxp, packets, bytes;



		maxp = usb_endpoint_maxp(epd);

		maxp *= usb_endpoint_maxp_mult(epd);

		bytes = pdu->u.cmd_submit.transfer_buffer_length;

		packets = DIV_ROUND_UP(bytes, maxp);



		if (pdu->u.cmd_submit.number_of_packets < 0 ||

		    pdu->u.cmd_submit.number_of_packets > packets) {

			dev_err(&sdev->udev->dev,

				"CMD_SUBMIT: isoc invalid num packets %d\n",

				pdu->u.cmd_submit.number_of_packets);

			return -1;

		}

		if (dir == USBIP_DIR_OUT)

			return usb_sndisocpipe(udev, epnum);

		else
@@ -383,7 +409,7 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) 


err_ret:

	/* NOT REACHED */

	dev_err(&sdev->udev->dev, "get pipe() invalid epnum %d\n", epnum);

	dev_err(&sdev->udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum);

	return -1;

}
@@ -448,7 +474,7 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, 
	struct stub_priv *priv;

	struct usbip_device *ud = &sdev->ud;

	struct usb_device *udev = sdev->udev;

	int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction);

	int pipe = get_pipe(sdev, pdu);



	if (pipe == -1)

		return;
@@ -470,7 +496,8 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, 
	}



	/* allocate urb transfer buffer, if needed */

	if (pdu->u.cmd_submit.transfer_buffer_length > 0) {

	if (pdu->u.cmd_submit.transfer_buffer_length > 0 &&

	    pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {

		priv->urb->transfer_buffer =

			kzalloc(pdu->u.cmd_submit.transfer_buffer_length,

				GFP_KERNEL);