On Tue, Dec 12, 2017 at 02:25:13PM -0500, Alan Stern wrote: > A malicious USB device with crafted descriptors can cause the kernel > to access unallocated memory by setting the bNumInterfaces value too > high in a configuration descriptor. Although the value is adjusted > during parsing, this adjustment is skipped in one of the error return > paths. > > This patch prevents the problem by setting bNumInterfaces to 0 > initially. The existing code already sets it to the proper value > after parsing is complete. > > Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx> > CC: <stable@xxxxxxxxxxxxxxx> > > --- > > > [as1855] > > > drivers/usb/core/config.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > Index: usb-4.x/drivers/usb/core/config.c > =================================================================== > --- usb-4.x.orig/drivers/usb/core/config.c > +++ usb-4.x/drivers/usb/core/config.c > @@ -555,6 +555,9 @@ static int usb_parse_configuration(struc > unsigned iad_num = 0; > > memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); > + nintf = nintf_orig = config->desc.bNumInterfaces; > + config->desc.bNumInterfaces = 0; // Adjusted later > + > if (config->desc.bDescriptorType != USB_DT_CONFIG || > config->desc.bLength < USB_DT_CONFIG_SIZE || > config->desc.bLength > size) { > @@ -568,7 +571,6 @@ static int usb_parse_configuration(struc > buffer += config->desc.bLength; > size -= config->desc.bLength; > > - nintf = nintf_orig = config->desc.bNumInterfaces; Ugh, I tried to find this place to do this, but couldn't. Nice job, I'll revert my patch and apply yours instead, thanks for this. greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html