Input: ims-psu - check if CDC union descriptor is sane (c0f26c8f) · Commits · e / devices / android_kernel_xiaomi_markw

commit ea04efee7635c9120d015dcdeeeb6988130cb67a upstream. Before trying to use CDC union descriptor, try to validate whether that it is sane by checking that intf->altsetting->extra is big enough and that descriptor bLength is not too big and not too small. Reported-by:

Andrey Konovalov <andreyknvl@google.com> Signed-off-by:

Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/input/misc/ims-pcu.c

+14 −2

Original line number	Diff line number	Diff line
		@@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf)
		return NULL;
		}

		while (buflen > 0) {
		while (buflen >= sizeof(*union_desc)) {
		union_desc = (struct usb_cdc_union_desc *)buf;

		if (union_desc->bLength > buflen) {
		dev_err(&intf->dev, "Too large descriptor\n");
		return NULL;
		}

		if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE &&
		union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) {
		dev_dbg(&intf->dev, "Found union header\n");

		if (union_desc->bLength >= sizeof(*union_desc))
		return union_desc;

		dev_err(&intf->dev,
		"Union descriptor to short (%d vs %zd\n)",
		union_desc->bLength, sizeof(*union_desc));
		return NULL;
		}

		buflen -= union_desc->bLength;