Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f20f2b33 authored by Alan Stern's avatar Alan Stern Committed by Sriharsha Allenki
Browse files

USB: core: prevent malicious bNumInterfaces overflow 



commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream.

A malicious USB device with crafted descriptors can cause the kernel
to access unallocated memory by setting the bNumInterfaces value too
high in a configuration descriptor.  Although the value is adjusted
during parsing, this adjustment is skipped in one of the error return
paths.

This patch prevents the problem by setting bNumInterfaces to 0
initially.  The existing code already sets it to the proper value
after parsing is complete.

Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 
Git-repo: https://github.com/torvalds/linux
Change-Id: I83367be55d2a4458271e098e9dae7be7c07dfef8
parent b26a24c8

drivers/usb/core/config.c

+3 −1
Original line number Original line Diff line number Diff line
@@ -432,6 +432,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, 
	unsigned iad_num = 0;

	unsigned iad_num = 0;





	memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);

	memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);

	nintf = nintf_orig = config->desc.bNumInterfaces;

	config->desc.bNumInterfaces = 0;	// Adjusted later



	if (config->desc.bDescriptorType != USB_DT_CONFIG ||

	if (config->desc.bDescriptorType != USB_DT_CONFIG ||

	    config->desc.bLength < USB_DT_CONFIG_SIZE ||

	    config->desc.bLength < USB_DT_CONFIG_SIZE ||

	    config->desc.bLength > size) {

	    config->desc.bLength > size) {
@@ -445,7 +448,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, 
	buffer += config->desc.bLength;

	buffer += config->desc.bLength;

	size -= config->desc.bLength;

	size -= config->desc.bLength;





	nintf = nintf_orig = config->desc.bNumInterfaces;

	if (nintf > USB_MAXINTERFACES) {

	if (nintf > USB_MAXINTERFACES) {

		dev_warn(ddev, "config %d has too many interfaces: %d, "

		dev_warn(ddev, "config %d has too many interfaces: %d, "

		    "using maximum allowed: %d\n",

		    "using maximum allowed: %d\n",