ACK: [PATCH] usbip: fix stub_rx: get_pipe() to validate endpoint number

Stefan Bader stefan.bader at canonical.com
Wed Jul 25 14:51:13 UTC 2018 

On 25.07.2018 08:58, Juerg Haefliger wrote:
> On 07/19/2018 07:17 PM, Colin King wrote:
>> From: Shuah Khan <shuahkh at osg.samsung.com>
>>
>> CVE-2017-16912
>>
>> get_pipe() routine doesn't validate the input endpoint number
>> and uses to reference ep_in and ep_out arrays. Invalid endpoint
>> number can trigger BUG(). Range check the epnum and returning
>> error instead of calling BUG().
>>
>> Change caller stub_recv_cmd_submit() to handle the get_pipe()
>> error return.
>>
>> Reported-by: Secunia Research <vuln at secunia.com>
>> Cc: stable <stable at vger.kernel.org>
>> Signed-off-by: Shuah Khan <shuahkh at osg.samsung.com>
>> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
>> (backported from upstream commit 635f545a7e8be7596b9b2b6a43cab6bbd5a88e43)
> 
> (backported from commit 635f545a7e8be7596b9b2b6a43cab6bbd5a88e43)
> [cking: Accounted for file rename drivers/usb/usbip/stub_rx.c ->
>  drivers/staging/usbip/stub_rx.c.]
> 
> 
>> Signed-off-by: Colin Ian King <colin.king at canonical.com>
> 
> Acked-by: Juerg Haefliger <juergh at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> 
> ...Juerg
> 
> 
>> ---
>>  drivers/staging/usbip/stub_rx.c | 17 ++++++++++-------
>>  1 file changed, 10 insertions(+), 7 deletions(-)
>>
>> diff --git a/drivers/staging/usbip/stub_rx.c b/drivers/staging/usbip/stub_rx.c
>> index db48a78..f071048 100644
>> --- a/drivers/staging/usbip/stub_rx.c
>> +++ b/drivers/staging/usbip/stub_rx.c
>> @@ -355,16 +355,15 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir)
>>  	struct usb_host_endpoint *ep;
>>  	struct usb_endpoint_descriptor *epd = NULL;
>>  
>> +	if (epnum < 0 || epnum > 15)
>> +		goto err_ret;
>> +
>>  	if (dir == USBIP_DIR_IN)
>>  		ep = udev->ep_in[epnum & 0x7f];
>>  	else
>>  		ep = udev->ep_out[epnum & 0x7f];
>> -	if (!ep) {
>> -		dev_err(&sdev->interface->dev, "no such endpoint?, %d\n",
>> -			epnum);
>> -		BUG();
>> -	}
>> -
>> +	if (!ep)
>> +		goto err_ret;
>>  	epd = &ep->desc;
>>  	if (usb_endpoint_xfer_control(epd)) {
>>  		if (dir == USBIP_DIR_OUT)
>> @@ -394,8 +393,9 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir)
>>  			return usb_rcvisocpipe(udev, epnum);
>>  	}
>>  
>> +err_ret:
>>  	/* NOT REACHED */
>> -	dev_err(&sdev->interface->dev, "get pipe, epnum %d\n", epnum);
>> +	dev_err(&sdev->udev->dev, "get pipe() invalid epnum %d\n", epnum);
>>  	return 0;
>>  }
>>  
>> @@ -462,6 +462,9 @@ static void stub_recv_cmd_submit(struct stub_device *sdev,
>>  	struct usb_device *udev = sdev->udev;
>>  	int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction);
>>  
>> +	if (pipe == -1)
>> +		return;
>> +
>>  	priv = stub_priv_alloc(sdev, pdu);
>>  	if (!priv)
>>  		return;
>>
> 
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180725/4a1c1120/attachment.sig>

More information about the kernel-team mailing list