iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

USB: usbdevfs: sanitize flags more

Browse Source 
Requesting a ZERO_PACKET or not is sensible only for output.
In the input direction the device decides.
Likewise accepting short packets makes sense only for input.

This allows operation with panic_on_warn without opening up
a local DOS.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+843efa30c8821bd69f53@syzkaller.appspotmail.com
Fixes: 0cb54a3e47cb ("USB: debugging code shouldn't alter control flow")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Oliver Neukum 2018-09-05 12:07:02 +02:00 committed by Greg Kroah-Hartman
parent e871db8d78
commit 7a68d9fb85
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
drivers/usb/core/devio.c
View File

@ -1434,10 +1434,13 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
struct async *as = NULL; struct async *as = NULL;
struct usb_ctrlrequest *dr = NULL; struct usb_ctrlrequest *dr = NULL;
unsigned int u, totlen, isofrmlen; unsigned int u, totlen, isofrmlen;
int i, ret, is_in, num_sgs = 0, ifnum = -1; int i, ret, num_sgs = 0, ifnum = -1;
int number_of_packets = 0; int number_of_packets = 0;
unsigned int stream_id = 0; unsigned int stream_id = 0;
void *buf; void *buf;
bool is_in;
bool allow_short = false;
bool allow_zero = false;
unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK |
USBDEVFS_URB_BULK_CONTINUATION | USBDEVFS_URB_BULK_CONTINUATION |
USBDEVFS_URB_NO_FSBR | USBDEVFS_URB_NO_FSBR |
@ -1471,6 +1474,8 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
u = 0; u = 0;
switch (uurb->type) { switch (uurb->type) {
case USBDEVFS_URB_TYPE_CONTROL: case USBDEVFS_URB_TYPE_CONTROL:
if (is_in)
allow_short = true;
if (!usb_endpoint_xfer_control(&ep->desc)) if (!usb_endpoint_xfer_control(&ep->desc))
return -EINVAL; return -EINVAL;
/* min 8 byte setup packet */ /* min 8 byte setup packet */
@ -1511,6 +1516,10 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
break; break;
case USBDEVFS_URB_TYPE_BULK: case USBDEVFS_URB_TYPE_BULK:
if (!is_in)
allow_zero = true;
else
allow_short = true;
switch (usb_endpoint_type(&ep->desc)) { switch (usb_endpoint_type(&ep->desc)) {
case USB_ENDPOINT_XFER_CONTROL: case USB_ENDPOINT_XFER_CONTROL:
case USB_ENDPOINT_XFER_ISOC: case USB_ENDPOINT_XFER_ISOC:
@ -1531,6 +1540,10 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
if (!usb_endpoint_xfer_int(&ep->desc)) if (!usb_endpoint_xfer_int(&ep->desc))
return -EINVAL; return -EINVAL;
interrupt_urb: interrupt_urb:
if (!is_in)
allow_zero = true;
else
allow_short = true;
break; break;
case USBDEVFS_URB_TYPE_ISO: case USBDEVFS_URB_TYPE_ISO:
@ -1676,9 +1689,9 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
u = (is_in ? URB_DIR_IN : URB_DIR_OUT); u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
if (uurb->flags & USBDEVFS_URB_ISO_ASAP) if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
u |= URB_ISO_ASAP; u |= URB_ISO_ASAP;
if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK && is_in) if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
u |= URB_SHORT_NOT_OK; u |= URB_SHORT_NOT_OK;
if (uurb->flags & USBDEVFS_URB_ZERO_PACKET) if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
u |= URB_ZERO_PACKET; u |= URB_ZERO_PACKET;
if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT) if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
u |= URB_NO_INTERRUPT; u |= URB_NO_INTERRUPT;