linux/drivers/usb/core
Alan Stern 3dd550a2d3 USB: usbcore: Fix slab-out-of-bounds bug during device reset
The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core:

BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746

CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description+0x6a/0x32c mm/kasan/report.c:351
  __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
  kasan_report+0xe/0x12 mm/kasan/common.c:612
  memcmp+0xa6/0xb0 lib/string.c:904
  memcmp include/linux/string.h:400 [inline]
  descriptors_changed drivers/usb/core/hub.c:5579 [inline]
  usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729
  usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898
  rt2x00usb_probe+0x53/0x7af
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806

The error occurs when the descriptors_changed() routine (called during
a device reset) attempts to compare the old and new BOS and capability
descriptors.  The length it uses for the comparison is the
wTotalLength value stored in BOS descriptor, but this value is not
necessarily the same as the length actually allocated for the
descriptors.  If it is larger the routine will call memcmp() with a
length that is too big, thus reading beyond the end of the allocated
region and leading to this fault.

The kernel reads the BOS descriptor twice: first to get the total
length of all the capability descriptors, and second to read it along
with all those other descriptors.  A malicious (or very faulty) device
may send different values for the BOS descriptor fields each time.
The memory area will be allocated using the wTotalLength value read
the first time, but stored within it will be the value read the second
time.

To prevent this possibility from causing any errors, this patch
modifies the BOS descriptor after it has been read the second time:
It sets the wTotalLength field to the actual length of the descriptors
that were read in and validated.  Then the memcpy() call, or any other
code using these descriptors, will be able to rely on wTotalLength
being valid.

Reported-and-tested-by: syzbot+35f4d916c623118d576e@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1909041154260.1722-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-09-04 18:24:00 +02:00
..
buffer.c usb: add a hcd_uses_dma helper 2019-08-15 15:18:05 +02:00
config.c USB: usbcore: Fix slab-out-of-bounds bug during device reset 2019-09-04 18:24:00 +02:00
devices.c Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
devio.c Merge generic_lookup_helpers into usb-next 2019-09-03 17:11:07 +02:00
driver.c USB: add support for dev_groups to struct usb_device_driver 2019-08-07 14:05:04 +02:00
endpoint.c
file.c USB: core: Fix races in character device registration and deregistraion 2019-08-12 22:47:24 +02:00
generic.c usbfs: Add ioctls for runtime power management 2019-08-09 07:55:45 +02:00
hcd-pci.c Merge 5.3-rc7 into usb-next 2019-09-02 19:31:18 +02:00
hcd.c usb: core: phy: add support for PHY calibration 2019-09-03 15:54:55 +02:00
hub.c usb: Handle USB3 remote wakeup for LPM enabled devices correctly 2019-07-03 18:40:49 +02:00
hub.h usb: hub: add retry routine after intr URB submit error 2019-01-18 09:58:04 +01:00
Kconfig usb: remove redundant 'default n' from Kconfig-s 2019-05-21 10:06:22 +02:00
ledtrig-usbport.c USB: leds: fix regression in usbport led trigger 2019-01-18 09:55:05 +01:00
Makefile usb: core: add a wrapper for the USB PHYs on the HCD 2018-03-09 09:43:53 -08:00
message.c USB: CDC: fix sanity checks in CDC union parser 2019-08-15 14:49:16 +02:00
notify.c USB: core: Remove usbfs_mutex 2019-06-26 10:28:09 +08:00
of.c usb: Change usb_of_get_companion_dev() place to usb/common 2018-09-10 20:40:29 +02:00
otg_whitelist.h USB: core: Remove redundant license text 2017-11-04 11:55:39 +01:00
phy.c usb: core: phy: add support for PHY calibration 2019-09-03 15:54:55 +02:00
phy.h usb: core: phy: add support for PHY calibration 2019-09-03 15:54:55 +02:00
port.c USB: Disable USB2 LPM at shutdown 2019-08-05 17:19:46 +02:00
quirks.c USB: Fix chipmunk-like voice when using Logitech C270 for recording audio. 2019-06-05 11:52:42 +02:00
sysfs.c usb: setup authorized_default attributes using usb_bus_notify 2019-08-08 16:07:34 +02:00
urb.c USB: core: urb: Use struct_size() in kmalloc() 2019-01-08 16:46:46 +01:00
usb-acpi.c usb: assign ACPI companions for embedded USB devices 2019-01-25 08:46:26 +01:00
usb.c usb: remove commented out dma wrappers 2019-09-03 15:26:12 +02:00
usb.h Merge 5.3-rc4 into usb-next 2019-08-12 07:42:51 +02:00