linux-stable.git/drivers/usb/usbip, branch linux-4.5.y Linux kernel stable tree USB: usbip: fix potential out-of-bounds write 2016-05-04T21:49:10+00:00 Ignat Korchagin ignat.korchagin@gmail.com 2016-03-17T18:00:29+00:00 4bca37b600a44859893b45ca87001b808907fff7 commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream. Fix potential out-of-bounds write to urb->transfer_buffer usbip handles network communication directly in the kernel. When receiving a packet from its peer, usbip code parses headers according to protocol. As part of this parsing urb->actual_length is filled. Since the input for urb->actual_length comes from the network, it should be treated as untrusted. Any entity controlling the network may put any value in the input and the preallocated urb->transfer_buffer may not be large enough to hold the data. Thus, the malicious entity is able to write arbitrary data to kernel memory. Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com> Cc: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream.

Fix potential out-of-bounds write to urb->transfer_buffer
usbip handles network communication directly in the kernel. When receiving a
packet from its peer, usbip code parses headers according to protocol. As
part of this parsing urb->actual_length is filled. Since the input for
urb->actual_length comes from the network, it should be treated as untrusted.
Any entity controlling the network may put any value in the input and the
preallocated urb->transfer_buffer may not be large enough to hold the data.
Thus, the malicious entity is able to write arbitrary data to kernel memory.

Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip: vhci_hcd: at unlink, return -EIDRM if vhci_rx took the urb 2015-10-04T09:59:03+00:00 Igor Kotrasinski i.kotrasinsk@samsung.com 2015-09-21T09:30:45+00:00 635e664a6b4d4b9c12f507045d156ea419b62dff In a situation where the urb is about to be returned or was never there, we should return -EIDRM (as per usb_hcd_check_unlink_urb). This is exactly the situation when the urb is picked up by vhci_rx before we access priv. Return -EIDRM rather than 0 when this happens. Signed-off-by: Igor Kotrasinski <i.kotrasinsk@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
In a situation where the urb is about to be returned or was never
there, we should return -EIDRM (as per usb_hcd_check_unlink_urb).
This is exactly the situation when the urb is picked up by vhci_rx
before we access priv.

Return -EIDRM rather than 0 when this happens.

Signed-off-by: Igor Kotrasinski <i.kotrasinsk@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip: vhci_hcd: only return urb at enqueue when served 2015-10-04T09:59:03+00:00 Igor Kotrasinski i.kotrasinsk@samsung.com 2015-09-21T09:30:44+00:00 03b0a52822fec8fba351fd472f3adda6fd760e77 We handle USB_REQ_SET_ADDRESS at enqueue, so we want to perform cleanup and giveback the urb. We should not call usb_hcd_giveback_urb when we're cleaning up after a failed enqueue, though. Only giveback the urb at cleanup when we claim to have served it. Signed-off-by: Igor Kotrasinski <i.kotrasinsk@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We handle USB_REQ_SET_ADDRESS at enqueue, so we want to perform
cleanup and giveback the urb. We should not call usb_hcd_giveback_urb
when we're cleaning up after a failed enqueue, though.

Only giveback the urb at cleanup when we claim to have served it.

Signed-off-by: Igor Kotrasinski <i.kotrasinsk@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip: vhci_hcd: Convert use of __constant_cpu_to_le16 to cpu_to_le16 2015-10-04T09:45:08+00:00 Vaishali Thakkar vthakkar1994@gmail.com 2015-08-19T05:17:46+00:00 0c596336a8e73a1773f38159ae2ef7b062863d80 In big endian cases, macro cpu_to_le16 unfolds to __swab16 which provides special case for constants. In little endian cases, __constant_cpu_to_le16 and cpu_to_le16 expand directly to the same expression. So, replace __constant_cpu_to_le16 with cpu_to_le16 with the goal of getting rid of the definition of __constant_cpu_to_le16 completely. The semantic patch that performs this transformation is as follows: @@expression x;@@ - __constant_cpu_to_le16(x) + cpu_to_le16(x) Signed-off-by: Vaishali Thakkar <vthakkar1994@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
In big endian cases, macro cpu_to_le16 unfolds to __swab16 which
provides special case for constants. In little endian cases,
__constant_cpu_to_le16 and cpu_to_le16 expand directly to the
same expression. So, replace __constant_cpu_to_le16 with
cpu_to_le16 with the goal of getting rid of the definition of
__constant_cpu_to_le16 completely.

The semantic patch that performs this transformation is as follows:

@@expression x;@@

- __constant_cpu_to_le16(x)
+ cpu_to_le16(x)

Signed-off-by: Vaishali Thakkar <vthakkar1994@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip: vhci_hcd: use USB_DT_HUB 2015-04-03T17:03:15+00:00 Sergei Shtylyov sergei.shtylyov@cogentembedded.com 2015-03-28T22:45:02+00:00 8f413d807b37efcc7c7fa45f824f08d614a8cc0a Fix using the bare number to set the 'bDescriptorType' field of the Hub Descriptor while the value is #define'd in <linux/usb/ch11.h>. Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Acked-by: Valentina Manea <valentina.manea.m@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Fix  using the  bare number to set the 'bDescriptorType' field of the Hub
Descriptor while the value  is #define'd in <linux/usb/ch11.h>.

Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Acked-by: Valentina Manea <valentina.manea.m@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip: vhci_hcd: use HUB_CHAR_* 2015-01-25T13:02:33+00:00 Sergei Shtylyov sergei.shtylyov@cogentembedded.com 2015-01-18T23:00:56+00:00 1cc9af8711613668d23b60f0c3d648a1e3c4ddc8 Fix using the bare number to set the 'wHubCharacteristics' field of the Hub Descriptor while the values are #define'd in <linux/usb/ch11.h>. Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Acked-by: Valentina Manea <valentina.manea.m@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Fix  using the  bare number  to set the 'wHubCharacteristics' field of the Hub
Descriptor while the values are #define'd in <linux/usb/ch11.h>.

Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Acked-by: Valentina Manea <valentina.manea.m@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge tag 'driver-core-3.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core 2014-12-15T00:10:09+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-12-15T00:10:09+00:00 e6b5be2be4e30037eb551e0ed09dd97bd00d85d3 Pull driver core update from Greg KH: "Here's the set of driver core patches for 3.19-rc1. They are dominated by the removal of the .owner field in platform drivers. They touch a lot of files, but they are "simple" changes, just removing a line in a structure. Other than that, a few minor driver core and debugfs changes. There are some ath9k patches coming in through this tree that have been acked by the wireless maintainers as they relied on the debugfs changes. Everything has been in linux-next for a while" * tag 'driver-core-3.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (324 commits) Revert "ath: ath9k: use debugfs_create_devm_seqfile() helper for seq_file entries" fs: debugfs: add forward declaration for struct device type firmware class: Deletion of an unnecessary check before the function call "vunmap" firmware loader: fix hung task warning dump devcoredump: provide a one-way disable function device: Add dev_<level>_once variants ath: ath9k: use debugfs_create_devm_seqfile() helper for seq_file entries ath: use seq_file api for ath9k debugfs files debugfs: add helper function to create device related seq_file drivers/base: cacheinfo: remove noisy error boot message Revert "core: platform: add warning if driver has no owner" drivers: base: support cpu cache information interface to userspace via sysfs drivers: base: add cpu_device_create to support per-cpu devices topology: replace custom attribute macros with standard DEVICE_ATTR* cpumask: factor out show_cpumap into separate helper function driver core: Fix unbalanced device reference in drivers_probe driver core: fix race with userland in device_add() sysfs/kernfs: make read requests on pre-alloc files use the buffer. sysfs/kernfs: allow attributes to request write buffer be pre-allocated. fs: sysfs: return EGBIG on write if offset is larger than file size ... 
Pull driver core update from Greg KH:
 "Here's the set of driver core patches for 3.19-rc1.

  They are dominated by the removal of the .owner field in platform
  drivers.  They touch a lot of files, but they are "simple" changes,
  just removing a line in a structure.

  Other than that, a few minor driver core and debugfs changes.  There
  are some ath9k patches coming in through this tree that have been
  acked by the wireless maintainers as they relied on the debugfs
  changes.

  Everything has been in linux-next for a while"

* tag 'driver-core-3.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (324 commits)
  Revert "ath: ath9k: use debugfs_create_devm_seqfile() helper for seq_file entries"
  fs: debugfs: add forward declaration for struct device type
  firmware class: Deletion of an unnecessary check before the function call "vunmap"
  firmware loader: fix hung task warning dump
  devcoredump: provide a one-way disable function
  device: Add dev_<level>_once variants
  ath: ath9k: use debugfs_create_devm_seqfile() helper for seq_file entries
  ath: use seq_file api for ath9k debugfs files
  debugfs: add helper function to create device related seq_file
  drivers/base: cacheinfo: remove noisy error boot message
  Revert "core: platform: add warning if driver has no owner"
  drivers: base: support cpu cache information interface to userspace via sysfs
  drivers: base: add cpu_device_create to support per-cpu devices
  topology: replace custom attribute macros with standard DEVICE_ATTR*
  cpumask: factor out show_cpumap into separate helper function
  driver core: Fix unbalanced device reference in drivers_probe
  driver core: fix race with userland in device_add()
  sysfs/kernfs: make read requests on pre-alloc files use the buffer.
  sysfs/kernfs: allow attributes to request write buffer be pre-allocated.
  fs: sysfs: return EGBIG on write if offset is larger than file size
  ...
usbip: fix error handling in stub_probe() 2014-12-03T00:15:02+00:00 Alexey Khoroshilov khoroshilov@ispras.ru 2014-11-28T22:29:10+00:00 3ff67445750a84de67faaf52c6e1895cb09f2c56 If usb_hub_claim_port() fails, no resources are deallocated and if stub_add_files() fails, port is not released. The patch fixes these issues and rearranges error handling code. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Acked-by: Valentina Manea <valentina.manea.m@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
If usb_hub_claim_port() fails, no resources are deallocated and
if stub_add_files() fails, port is not released.

The patch fixes these issues and rearranges error handling code.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Valentina Manea <valentina.manea.m@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB-IP: Deletion of unnecessary checks before the function call "usb_put_dev" 2014-11-25T01:23:41+00:00 Markus Elfring elfring@users.sourceforge.net 2014-11-21T15:33:18+00:00 03f3df817dd3bf988c6d56e10e99b5b4553f5044 The usb_put_dev() function tests whether its argument is NULL and then returns immediately. Thus the test around the call is not needed. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Acked-by: Valentina Manea <valentina.manea.m@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The usb_put_dev() function tests whether its argument is NULL and then
returns immediately. Thus the test around the call is not needed.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Acked-by: Valentina Manea <valentina.manea.m@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usbip: drop owner assignment from platform_drivers 2014-10-20T14:21:51+00:00 Wolfram Sang wsa@the-dreams.de 2014-10-20T14:21:51+00:00 0ca4ac7fb3a9b4c15d195778affc040415af90b4 A platform_driver does not need to set an owner, it will be populated by the driver core. Signed-off-by: Wolfram Sang <wsa@the-dreams.de> 
A platform_driver does not need to set an owner, it will be populated by the
driver core.

Signed-off-by: Wolfram Sang <wsa@the-dreams.de>