On 09.11.2017 18:25, Masakazu Mokuno wrote:
As most of BOS descriptors are longer in length than their header 'struct usb_dev_cap_header', comparing solely with it is not sufficient to avoid out-of-bounds access to BOS descriptors. This patch adds descriptor type specific length check in usb_get_bos_descriptor() to fix the issue. Signed-off-by: Masakazu Mokuno <masakazu.mokuno@xxxxxxxxx>
This patch breaks USB3.1 devices from being properly detected as 3.1 capable. All USB 3.1 devices look like USB3.0 devices since 4.15-rc3 ...
+ ssp_cap = (struct usb_ssp_cap_descriptor *)buffer; + ssac = (le32_to_cpu(ssp_cap->bmAttributes) & + USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1; + if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac)) + dev->bos->ssp_cap = ssp_cap;
The problem is ssac is off by one, so dev->bos->ssp_cap is never set. SSAC in usb spec is 0 based, USB3 spec 9.6.2.5 says "The number of Sublink Speed Attributes = SSAC + 1." USB_DT_USB_SSP_CAP_SIZE() takes SSAC as an argument, not "The number of Sublink Speed Attributes" USB_DT_USB_SSP_CAP_SIZE() definition is a bit confusing. It sould be changed from #define USB_DT_USB_SSP_CAP_SIZE(ssac) (16 + ssac * 4) to somthing like: #define USB_DT_USB_SSP_CAP_SIZE(ssac) (12 + (ssac + 1) * 4) -Mathias -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
