usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input

Harden CMD_SUBMIT path to handle malicious input that could trigger large memory allocations. Add checks to validate transfer_buffer_length and number_of_packets to protect against bad input requesting for unbounded memory allocations. Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Shuah Khan <shuahkh@osg.samsung.com> 2017-12-22 21:23:46 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-01-04 11:07:26 -0500
commit: b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25 (patch)
tree: 1a10a829712741d12df492bb2a56dae4cddb1248
parent: 30a7acd573899fd8b8ac39236eff6468b195ac7d (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/drivers/usb/usbip/vudc_rx.c b/drivers/usb/usbip/vudc_rx.c
index df1e30989148..1e8a23d92cb4 100644
--- a/drivers/usb/usbip/vudc_rx.c
+++ b/drivers/usb/usbip/vudc_rx.c
@@ -120,6 +120,25 @@ static int v_recv_cmd_submit(struct vudc *udc,
        urb_p->new = 1;
        urb_p->seqnum = pdu->base.seqnum;
+        if (urb_p->ep->type == USB_ENDPOINT_XFER_ISOC) {
+                /* validate packet size and number of packets */
+                unsigned int maxp, packets, bytes;
+                maxp = usb_endpoint_maxp(urb_p->ep->desc);
+                maxp *= usb_endpoint_maxp_mult(urb_p->ep->desc);
+                bytes = pdu->u.cmd_submit.transfer_buffer_length;
+                packets = DIV_ROUND_UP(bytes, maxp);
+                if (pdu->u.cmd_submit.number_of_packets < 0 ||
+                    pdu->u.cmd_submit.number_of_packets > packets) {
+                        dev_err(&udc->gadget.dev,
+                                "CMD_SUBMIT: isoc invalid num packets %d\n",
+                                pdu->u.cmd_submit.number_of_packets);
+                        ret = -EMSGSIZE;
+                        goto free_urbp;
+                }
+        }
        ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type);
        if (ret) {
                usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC);
author	Shuah Khan <shuahkh@osg.samsung.com>	2017-12-22 21:23:46 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-01-04 11:07:26 -0500
commit	b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25 (patch)
tree	1a10a829712741d12df492bb2a56dae4cddb1248
parent	30a7acd573899fd8b8ac39236eff6468b195ac7d (diff)

diff --git a/drivers/usb/usbip/vudc_rx.c b/drivers/usb/usbip/vudc_rx.c index df1e30989148..1e8a23d92cb4 100644 --- a/drivers/usb/usbip/vudc_rx.c +++ b/drivers/usb/usbip/vudc_rx.c
@@ -120,6 +120,25 @@ static int v_recv_cmd_submit(struct vudc *udc,
120	urb_p->new = 1;	120	urb_p->new = 1;
121	urb_p->seqnum = pdu->base.seqnum;	121	urb_p->seqnum = pdu->base.seqnum;
122		122
		123	if (urb_p->ep->type == USB_ENDPOINT_XFER_ISOC) {
		124	/* validate packet size and number of packets */
		125	unsigned int maxp, packets, bytes;
		126
		127	maxp = usb_endpoint_maxp(urb_p->ep->desc);
		128	maxp *= usb_endpoint_maxp_mult(urb_p->ep->desc);
		129	bytes = pdu->u.cmd_submit.transfer_buffer_length;
		130	packets = DIV_ROUND_UP(bytes, maxp);
		131
		132	if (pdu->u.cmd_submit.number_of_packets < 0 \|\|
		133	pdu->u.cmd_submit.number_of_packets > packets) {
		134	dev_err(&udc->gadget.dev,
		135	"CMD_SUBMIT: isoc invalid num packets %d\n",
		136	pdu->u.cmd_submit.number_of_packets);
		137	ret = -EMSGSIZE;
		138	goto free_urbp;
		139	}
		140	}
		141
123	ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type);	142	ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type);
124	if (ret) {	143	if (ret) {
125	usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC);	144	usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC);