evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers/usb/usbip
History
Malte Leip 55153b1089 usb: usbip: fix isoc packet num validation in get_pipe 
commit c409ca3be3c6ff3a1eeb303b191184e80d412862 upstream.

Backport of the upstream commit, which fixed c6688ef9f297.
c6688ef9f297 got backported as commit b6f826ba10, as the unavailable
function usb_endpoint_maxp_mult had to be replaced. The upstream commit
removed the call to this function, so the backport is straightforward.

Original commit message:

Change the validation of number_of_packets in get_pipe to compare the
number of packets to a fixed maximum number of packets allowed, set to
be 1024. This number was chosen due to it being used by other drivers as
well, for example drivers/usb/host/uhci-q.c

Background/reason:
The get_pipe function in stub_rx.c validates the number of packets in
isochronous mode and aborts with an error if that number is too large,
in order to prevent malicious input from possibly triggering large
memory allocations. This was previously done by checking whether
pdu->u.cmd_submit.number_of_packets is bigger than the number of packets
that would be needed for pdu->u.cmd_submit.transfer_buffer_length bytes
if all except possibly the last packet had maximum length, given by
usb_endpoint_maxp(epd) *  usb_endpoint_maxp_mult(epd). This leads to an
error if URBs with packets shorter than the maximum possible length are
submitted, which is allowed according to
Documentation/driver-api/usb/URB.rst and occurs for example with the
snd-usb-audio driver.

Fixes: b6f826ba10 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input")
Signed-off-by: Malte Leip <malte@leip.net>
Cc: stable <stable@vger.kernel.org> # 4.4.x
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-05-16 19:45:02 +02:00
..
Kconfig
Makefile
README
stub.h usbip: usbip_host: fix NULL-ptr deref and use-after-free errors 2018-05-26 08:48:52 +02:00
stub_dev.c usbip: usbip_host: fix NULL-ptr deref and use-after-free errors 2018-05-26 08:48:52 +02:00
stub_main.c usbip: usbip_host: fix bad unlock balance during stub_probe() 2018-05-26 08:48:52 +02:00
stub_rx.c usb: usbip: fix isoc packet num validation in get_pipe 2019-05-16 19:45:02 +02:00
stub_tx.c
usbip_common.c usbip: prevent leaking socket pointer address in messages 2018-01-31 12:06:12 +01:00
usbip_common.h usb: usbip: fix isoc packet num validation in get_pipe 2019-05-16 19:45:02 +02:00
usbip_event.c usb: usbip: Fix possible deadlocks reported by lockdep 2018-01-31 12:06:11 +01:00
usbip_protocol.txt
vhci.h
vhci_hcd.c usbip: keep usbip_device sockfd state in sync with tcp_socket 2018-02-25 11:03:38 +01:00
vhci_rx.c usb: usbip: Fix possible deadlocks reported by lockdep 2018-01-31 12:06:11 +01:00
vhci_sysfs.c usbip: fix 3eee23c3ec14 tcp_socket address still in the status file 2018-02-16 20:09:36 +01:00
vhci_tx.c usb: usbip: Fix possible deadlocks reported by lockdep 2018-01-31 12:06:11 +01:00

README 

TODO:
	- more discussion about the protocol
	- testing
	- review of the userspace interface
	- document the protocol

Please send patches for this code to Greg Kroah-Hartman <greg@kroah.com>