On Wed, Dec 13, 2017 at 09:27:42AM +0800, Peter Chen wrote: > On Tue, Dec 12, 2017 at 02:25:13PM -0500, Alan Stern wrote: > > A malicious USB device with crafted descriptors can cause the kernel > > to access unallocated memory by setting the bNumInterfaces value too > > high in a configuration descriptor. Although the value is adjusted > > during parsing, this adjustment is skipped in one of the error return > > paths. > > > > This patch prevents the problem by setting bNumInterfaces to 0 > > initially. The existing code already sets it to the proper value > > after parsing is complete. > > > > Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > > Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx> > > CC: <stable@xxxxxxxxxxxxxxx> > > > > --- > > > > > > [as1855] > > > > > > drivers/usb/core/config.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > Index: usb-4.x/drivers/usb/core/config.c > > =================================================================== > > --- usb-4.x.orig/drivers/usb/core/config.c > > +++ usb-4.x/drivers/usb/core/config.c > > @@ -555,6 +555,9 @@ static int usb_parse_configuration(struc > > unsigned iad_num = 0; > > > > memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); > > + nintf = nintf_orig = config->desc.bNumInterfaces; > > + config->desc.bNumInterfaces = 0; // Adjusted later > > + > > The comment format? Is fine, I've given up that fight :) greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
