Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7a68d9fb authored by Oliver Neukum's avatar Oliver Neukum Committed by Greg Kroah-Hartman
Browse files

USB: usbdevfs: sanitize flags more 



Requesting a ZERO_PACKET or not is sensible only for output.
In the input direction the device decides.
Likewise accepting short packets makes sense only for input.

This allows operation with panic_on_warn without opening up
a local DOS.

Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
Reported-by: default avatar <syzbot+843efa30c8821bd69f53@syzkaller.appspotmail.com>
Fixes: 0cb54a3e ("USB: debugging code shouldn't alter control flow")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e871db8d

drivers/usb/core/devio.c

+16 −3
Original line number Diff line number Diff line
@@ -1434,10 +1434,13 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb 
	struct async *as = NULL;

	struct usb_ctrlrequest *dr = NULL;

	unsigned int u, totlen, isofrmlen;

	int i, ret, is_in, num_sgs = 0, ifnum = -1;

	int i, ret, num_sgs = 0, ifnum = -1;

	int number_of_packets = 0;

	unsigned int stream_id = 0;

	void *buf;

	bool is_in;

	bool allow_short = false;

	bool allow_zero = false;

	unsigned long mask =	USBDEVFS_URB_SHORT_NOT_OK |

				USBDEVFS_URB_BULK_CONTINUATION |

				USBDEVFS_URB_NO_FSBR |
@@ -1471,6 +1474,8 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb 
	u = 0;

	switch (uurb->type) {

	case USBDEVFS_URB_TYPE_CONTROL:

		if (is_in)

			allow_short = true;

		if (!usb_endpoint_xfer_control(&ep->desc))

			return -EINVAL;

		/* min 8 byte setup packet */
@@ -1511,6 +1516,10 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb 
		break;



	case USBDEVFS_URB_TYPE_BULK:

		if (!is_in)

			allow_zero = true;

		else

			allow_short = true;

		switch (usb_endpoint_type(&ep->desc)) {

		case USB_ENDPOINT_XFER_CONTROL:

		case USB_ENDPOINT_XFER_ISOC:
@@ -1531,6 +1540,10 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb 
		if (!usb_endpoint_xfer_int(&ep->desc))

			return -EINVAL;

 interrupt_urb:

		if (!is_in)

			allow_zero = true;

		else

			allow_short = true;

		break;



	case USBDEVFS_URB_TYPE_ISO:
@@ -1676,9 +1689,9 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb 
	u = (is_in ? URB_DIR_IN : URB_DIR_OUT);

	if (uurb->flags & USBDEVFS_URB_ISO_ASAP)

		u |= URB_ISO_ASAP;

	if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK && is_in)

	if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)

		u |= URB_SHORT_NOT_OK;

	if (uurb->flags & USBDEVFS_URB_ZERO_PACKET)

	if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)

		u |= URB_ZERO_PACKET;

	if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)

		u |= URB_NO_INTERRUPT;