Re: usb/core: slab-out-of-bounds in usb_get_bos_descriptor

From: Andrey Konovalov
Date: Wed Oct 18 2017 - 12:34:42 EST


On Wed, Oct 18, 2017 at 5:25 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> On Wed, 18 Oct 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
>>
>> Looks like usb_get_bos_descriptor() doesn't check that buffer has
>> enough space for usb_dev_cap_header, which causes out-of-bounds
>> accesses.
>
> Please try the patch below.
>
> Alan Stern

Hi Alan,

This patch fixes the issue.

Thanks!

Tested-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>

>
>
>
> Index: usb-4.x/drivers/usb/core/config.c
> ===================================================================
> --- usb-4.x.orig/drivers/usb/core/config.c
> +++ usb-4.x/drivers/usb/core/config.c
> @@ -952,10 +952,12 @@ int usb_get_bos_descriptor(struct usb_de
> for (i = 0; i < num; i++) {
> buffer += length;
> cap = (struct usb_dev_cap_header *)buffer;
> - length = cap->bLength;
>
> - if (total_len < length)
> + if (total_len < sizeof(*cap) || total_len < cap->bLength) {
> + dev->bos->desc->bNumDeviceCaps = i;
> break;
> + }
> + length = cap->bLength;
> total_len -= length;
>
> if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
>