linux/drivers/usb/usbip
Malte Leip c409ca3be3 usb: usbip: fix isoc packet num validation in get_pipe
Change the validation of number_of_packets in get_pipe to compare the
number of packets to a fixed maximum number of packets allowed, set to
be 1024. This number was chosen due to it being used by other drivers as
well, for example drivers/usb/host/uhci-q.c

Background/reason:
The get_pipe function in stub_rx.c validates the number of packets in
isochronous mode and aborts with an error if that number is too large,
in order to prevent malicious input from possibly triggering large
memory allocations. This was previously done by checking whether
pdu->u.cmd_submit.number_of_packets is bigger than the number of packets
that would be needed for pdu->u.cmd_submit.transfer_buffer_length bytes
if all except possibly the last packet had maximum length, given by
usb_endpoint_maxp(epd) *  usb_endpoint_maxp_mult(epd). This leads to an
error if URBs with packets shorter than the maximum possible length are
submitted, which is allowed according to
Documentation/driver-api/usb/URB.rst and occurs for example with the
snd-usb-audio driver.

Fixes: c6688ef9f2 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input")
Signed-off-by: Malte Leip <malte@leip.net>
Cc: stable <stable@vger.kernel.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-04-25 11:11:41 +02:00
..
Kconfig USB: add missing SPDX lines to Kconfig and Makefiles 2019-01-22 09:08:17 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stub.h usbip: usbip_host: fix NULL-ptr deref and use-after-free errors 2018-05-15 09:52:02 +02:00
stub_dev.c usbip: usbip_host: fix NULL-ptr deref and use-after-free errors 2018-05-15 09:52:02 +02:00
stub_main.c usbip: usbip_host: fix bad unlock balance during stub_probe() 2018-05-16 18:52:13 +02:00
stub_rx.c usb: usbip: fix isoc packet num validation in get_pipe 2019-04-25 11:11:41 +02:00
stub_tx.c usbip: stub: stop printing kernel pointer addresses in messages 2017-12-19 11:40:54 +01:00
usbip_common.c iov_iter: Separate type from direction and use accessor functions 2018-10-24 00:41:07 +01:00
usbip_common.h usb: usbip: fix isoc packet num validation in get_pipe 2019-04-25 11:11:41 +02:00
usbip_event.c usbip: usbip_event: fix to not print kernel pointer address 2018-04-22 14:45:12 +02:00
vhci.h USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00
vhci_hcd.c usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path 2019-01-25 10:02:49 +01:00
vhci_rx.c usbip: vhci: fix spelling mistake: "synchronuously" -> "synchronously" 2018-01-04 17:05:55 +01:00
vhci_sysfs.c usbip: vhci_sysfs: fix potential Spectre v1 2018-05-24 18:14:28 +02:00
vhci_tx.c usbip: vhci: stop printing kernel pointer addresses in messages 2017-12-19 11:40:54 +01:00
vudc.h USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00
vudc_dev.c usbip: Fix vep_free_request() null pointer checks on input args 2019-01-30 09:22:35 +01:00
vudc_main.c usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten 2018-10-18 19:44:39 +02:00
vudc_rx.c usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input 2018-01-04 17:07:26 +01:00
vudc_sysfs.c usbip: vudc: fix null pointer dereference on udc->lock 2018-03-09 10:01:07 -08:00
vudc_transfer.c USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00
vudc_tx.c usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer 2018-01-04 17:07:27 +01:00