On Mon, May 13, 2019 at 01:14:29PM -0400, Alan Stern wrote:
> The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the
> USB core, caused by a failure to check the actual size of a BOS
> descriptor. This patch adds a check to make sure the descriptor is at
> least as large as it is supposed to be, so that the code doesn't
> inadvertently access memory beyond the end of the allocated region
> when assigning to dev->bos->desc->bNumDeviceCaps later on.
>
> Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
> Reported-and-tested-by: syzbot+71f1e64501a309fcc012@xxxxxxxxxxxxxxxxxxxxxxxxx
> CC: <stable@xxxxxxxxxxxxxxx>
>
> ---
>
>
> [as1898]
>
>
> drivers/usb/core/config.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Index: usb-devel/drivers/usb/core/config.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/config.c
> +++ usb-devel/drivers/usb/core/config.c
> @@ -932,8 +932,8 @@ int usb_get_bos_descriptor(struct usb_de
>
> /* Get BOS descriptor */
> ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE);
> - if (ret < USB_DT_BOS_SIZE) {
> - dev_err(ddev, "unable to get BOS descriptor\n");
> + if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) {
> + dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n");
Nice fix, I thought we had found all of these the last time we fuzzed
this area :)
I'll queue this up once 5.2-rc1 is out, thanks.
greg k-h
