Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 9d13d3e05be29056eeab610d9ad26b04c9231a04
commit9d13d3e05be29056eeab610d9ad26b04c9231a04[log] [tgz]
authorAlan Stern <stern@rowland.harvard.edu>Wed Oct 18 12:49:38 2017 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Fri Oct 27 10:38:05 2017 +0200
treee909b9f81e64828e3a84b5611956cc67a0fd3023
parentee0ea51aa9cbe8ee335baabf98fd8ee3da185a98 [diff]
USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()

commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream.

Andrey used the syzkaller fuzzer to find an out-of-bounds memory
access in usb_get_bos_descriptor().  The code wasn't checking that the
next usb_dev_cap_header structure could fit into the remaining buffer
space.

This patch fixes the error and also reduces the bNumDeviceCaps field
in the header to match the actual number of capabilities found, in
cases where there are fewer than expected.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: e909b9f81e64828e3a84b5611956cc67a0fd3023
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS