Re: [PATCH] USB: gadget: f_ncm: Fix NDP16 datagram validation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Greg,
Hello stable maintainers,

On Sun, Sep 20, 2020 at 06:01:58PM +0100, Bryan O'Donoghue wrote:
> commit 2b74b0a04d3e ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()")
> adds important bounds checking however it unfortunately also introduces  a
> bug with respect to section 3.3.1 of the NCM specification.
> 
> wDatagramIndex[1] : "Byte index, in little endian, of the second datagram
> described by this NDP16. If zero, then this marks the end of the sequence
> of datagrams in this NDP16."
> 
> wDatagramLength[1]: "Byte length, in little endian, of the second datagram
> described by this NDP16. If zero, then this marks the end of the sequence
> of datagrams in this NDP16."
> 
> wDatagramIndex[1] and wDatagramLength[1] respectively then may be zero but
> that does not mean we should throw away the data referenced by
> wDatagramIndex[0] and wDatagramLength[0] as is currently the case.
> 
> Breaking the loop on (index2 == 0 || dg_len2 == 0) should come at the end
> as was previously the case and checks for index2 and dg_len2 should be
> removed since zero is valid.
> 
> I'm not sure how much testing the above patch received but for me right now
> after enumeration ping doesn't work. Reverting the commit restores ping,
> scp, etc.
> 
> The extra validation associated with wDatagramIndex[0] and
> wDatagramLength[0] appears to be valid so, this change removes the incorrect
> restriction on wDatagramIndex[1] and wDatagramLength[1] restoring data
> processing between host and device.
> 
> Fixes: 2b74b0a04d3e ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()")
> Cc: Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx>
> Cc: Brooke Basile <brookebasile@xxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@xxxxxxxxxx>
> ---
>  drivers/usb/gadget/function/f_ncm.c | 30 ++---------------------------
>  1 file changed, 2 insertions(+), 28 deletions(-)

This patch appears to be pushed to 4.19, 5.4 and 5.8 stable trees via:

https://lore.kernel.org/lkml/20201005142108.771915994@xxxxxxxxxxxxxxxxxxx/
https://lore.kernel.org/lkml/20201005142109.966570222@xxxxxxxxxxxxxxxxxxx/
https://lore.kernel.org/lkml/20201005142114.960807335@xxxxxxxxxxxxxxxxxxx/

Will you push this patch to v4.14.y, in order to fix v4.14.196 commit
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b88ad6e714284b
("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()") ?

-- 
Best regards,
Eugeniu Rosca
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux