From patchwork Fri Sep  4 06:37:44 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Zeng Tao <prime.zeng@hisilicon.com>
X-Patchwork-Id: 249059
Delivered-To: patch@linaro.org
Received: by 2002:a92:5b9c:0:0:0:0:0 with SMTP id c28csp1124974ilg;
 Thu, 3 Sep 2020 23:39:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwMg2ptHALYLStlblGiCW31vJCRd1ntDUBSAcMGVePjNuUYslTVEzaw3YUvgSUVKKxLI/eV
X-Received: by 2002:a17:906:2552:: with SMTP id
 j18mr5733669ejb.476.1599201552602; 
 Thu, 03 Sep 2020 23:39:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1599201552; cv=none;
 d=google.com; s=arc-20160816;
 b=Z9sHCGT20FSAmOH37XuO21tGHKECtOLDnZUKIZnvSkh6cHl6Oq96efh/dGZ7eETJZe
 Y1hCyppSomSfubx5hJcEQeny5nEsSZTeGRuUrJpvYw6gany9UP+fCaztSq0UERZ3+5IK
 8DHNqKhLFe6ckuZl0zbRwOVPIAlvUIut7vWnrInSz0E12yi/MdNVsrDzeJSrb/nMguY2
 e6RTIU8TMVZ5mG4luZhxC8+/WmCsJM/R3fnAgkTVos5U3F20mPqbNXI4pccFbhy8y1hu
 Uwr99F5A0h1KaMvjZxJcatEtCtlhofNjk9EJqGoKs0GkltVDtm/EI+pt+UDE0ineb6sH
 9zAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:mime-version:message-id:date:subject:cc
 :to:from;
 bh=5A9DlW0oqC8kO+S36C5RYkod45pqK5Qc/6AEilQISqY=;
 b=phT1HsOjMv7y2aJ/6vYaMgZX4QqJjhVg9WQh8c/kOa7SZTyCP7MbfyQgu+L6wo6w98
 dJufStUrKwu72U5u4FMw3lpENictj/YhoOfFQL5JAnjx10Es+xZHpuzx+lbGbdxkaRQi
 ZGnGj+uExW/ocbmaQnsnE/IJT1LQi7VUbaAVSi/Fbc8kZJt1UD/LRUwt4SqYygxM4+gf
 Sk3LCCTBNh96PYWxtBeg9O6uPGlbcgtDPRdq1Sc/2ihq+ud3VWLJF0H2A11gwBQtoJar
 iiPhq6THjvZ8OwY5wfVpltrhQTdj8cRe/4nHn2dzvvAVvj8hVfbbxMi4gRemXmqURhnW
 Tp7A==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of stable-owner@vger.kernel.org
 designates 23.128.96.18 as permitted sender)
 smtp.mailfrom=stable-owner@vger.kernel.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
 by mx.google.com with ESMTP id
 h18si3712559eds.447.2020.09.03.23.39.12; 
 Thu, 03 Sep 2020 23:39:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org
 designates 23.128.96.18 as permitted sender)
 client-ip=23.128.96.18; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of stable-owner@vger.kernel.org
 designates 23.128.96.18 as permitted sender)
 smtp.mailfrom=stable-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1726811AbgIDGjL (ORCPT <rfc822;semen.protsenko@linaro.org>
 + 15 others); Fri, 4 Sep 2020 02:39:11 -0400
Received: from szxga04-in.huawei.com ([45.249.212.190]:10811 "EHLO huawei.com"
 rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
 id S1726251AbgIDGjL (ORCPT <rfc822;stable@vger.kernel.org>);
 Fri, 4 Sep 2020 02:39:11 -0400
Received: from DGGEMS406-HUB.china.huawei.com (unknown [172.30.72.58])
 by Forcepoint Email with ESMTP id A6DF026C41212103A2AA;
 Fri,  4 Sep 2020 14:39:05 +0800 (CST)
Received: from localhost.localdomain (10.67.165.24) by
 DGGEMS406-HUB.china.huawei.com (10.3.19.206) with Microsoft SMTP
 Server id 14.3.487.0; Fri, 4 Sep 2020 14:38:59 +0800
From: Zeng Tao <prime.zeng@hisilicon.com>
To: <gregkh@linuxfoundation.org>
CC: Zeng Tao <prime.zeng@hisilicon.com>, stable <stable@vger.kernel.org>,
 "Alan Stern" <stern@rowland.harvard.edu>,
 chenqiwu <chenqiwu@xiaomi.com>, <linux-usb@vger.kernel.org>,
 <linux-kernel@vger.kernel.org>
Subject: [PATCH] usb: core: fix slab-out-of-bounds Read in read_descriptors
Date: Fri, 4 Sep 2020 14:37:44 +0800
Message-ID: <1599201467-11000-1-git-send-email-prime.zeng@hisilicon.com>
X-Mailer: git-send-email 2.8.1
MIME-Version: 1.0
X-Originating-IP: [10.67.165.24]
X-CFilter-Loop: Reflected
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

The USB device descriptor may get changed between two consecutive
enumerations on the same device for some reason, such as DFU or
malicius device.
In that case, we may access the changing descriptor if we don't take
the device lock here.

The issue is reported:
https://syzkaller.appspot.com/bug?id=901a0d9e6519ef8dc7acab25344bd287dd3c7be9

Cc: stable <stable@vger.kernel.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Reported-by: syzbot+256e56ddde8b8957eabd@syzkaller.appspotmail.com
Fixes: 217a9081d8e6 ("USB: add all configs to the "descriptors" attribute")
Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>
---
 drivers/usb/core/sysfs.c | 5 +++++
 1 file changed, 5 insertions(+)

-- 
2.8.1

diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
index a2ca38e..8d13419 100644
--- a/drivers/usb/core/sysfs.c
+++ b/drivers/usb/core/sysfs.c
@@ -889,7 +889,11 @@ read_descriptors(struct file *filp, struct kobject *kobj,
 	size_t srclen, n;
 	int cfgno;
 	void *src;
+	int retval;
 
+	retval = usb_lock_device_interruptible(udev);
+	if (retval < 0)
+		return -EINTR;
 	/* The binary attribute begins with the device descriptor.
 	 * Following that are the raw descriptor entries for all the
 	 * configurations (config plus subsidiary descriptors).
@@ -914,6 +918,7 @@ read_descriptors(struct file *filp, struct kobject *kobj,
 			off -= srclen;
 		}
 	}
+	usb_unlock_device(udev);
 	return count - nleft;
 }