USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor [Linux 5.2]

USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor [Linux 5.2]

This Linux kernel change "USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor" is included in the Linux 5.2 release. This change is authored by Alan Stern <stern [at] rowland.harvard.edu> on Mon May 13 13:14:29 2019 -0400. The commit for this change in Linux stable tree is a03ff54 (patch).

USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor

The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the
USB core, caused by a failure to check the actual size of a BOS
descriptor.  This patch adds a check to make sure the descriptor is at
least as large as it is supposed to be, so that the code doesn't
inadvertently access memory beyond the end of the allocated region
when assigning to dev->bos->desc->bNumDeviceCaps later on.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

There are 4 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/usb/core/config.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 20ff036..9d6cb70 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -932,8 +932,8 @@ int usb_get_bos_descriptor(struct usb_device *dev)

    /* Get BOS descriptor */
    ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE);
-   if (ret < USB_DT_BOS_SIZE) {
-       dev_err(ddev, "unable to get BOS descriptor\n");
+   if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) {
+       dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n");
        if (ret >= 0)
            ret = -ENOMSG;
        kfree(bos);

Leave a Reply

Your email address will not be published. Required fields are marked *