Module Name: src
Committed By: maxv
Date: Sun May 31 17:52:59 UTC 2020
Modified Files:
src/sys/dev/usb: usb_subr.c
Log Message:
If we failed because we didn't encounter an endpoint, do not attempt to
read 'ed', because its value is past the end of the buffer, and we thus
perform out-of-bounds accesses.
Detected thanks to vHCI+KASAN. First bug found by USB fuzzing.
Reported-by: syzbot+59e7f6b3f353584ac...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.244 -r1.245 src/sys/dev/usb/usb_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/usb_subr.c
diff -u src/sys/dev/usb/usb_subr.c:1.244 src/sys/dev/usb/usb_subr.c:1.245
--- src/sys/dev/usb/usb_subr.c:1.244 Sat Mar 14 03:01:36 2020
+++ src/sys/dev/usb/usb_subr.c Sun May 31 17:52:58 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: usb_subr.c,v 1.244 2020/03/14 03:01:36 christos Exp $ */
+/* $NetBSD: usb_subr.c,v 1.245 2020/05/31 17:52:58 maxv Exp $ */
/* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */
/*
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.244 2020/03/14 03:01:36 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.245 2020/05/31 17:52:58 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_compat_netbsd.h"
@@ -447,10 +447,17 @@ usbd_fill_iface_data(struct usbd_device
break;
}
/* passed end, or bad desc */
- printf("usbd_fill_iface_data: bad descriptor(s): %s\n",
- ed->bLength == 0 ? "0 length" :
- ed->bDescriptorType == UDESC_INTERFACE ? "iface desc":
- "out of data");
+ if (p < end) {
+ if (ed->bLength == 0) {
+ printf("%s: bad descriptor: 0 length\n",
+ __func__);
+ } else {
+ printf("%s: bad descriptor: iface desc\n",
+ __func__);
+ }
+ } else {
+ printf("%s: no desc found\n", __func__);
+ }
goto bad;
found:
ifc->ui_endpoints[endpt].ue_edesc = ed;
