Commit 5d6ae4f0 authored by Chris Dickens's avatar Chris Dickens Committed by Felipe Balbi
Browse files

usb: gadget: composite: fix incorrect handling of OS desc requests 



When handling an OS descriptor request, one of the first operations is
to zero out the request buffer using the wLength from the setup packet.
There is no bounds checking, so a wLength > 4096 would clobber memory
adjacent to the request buffer. Fix this by taking the min of wLength
and the request buffer length prior to the memset. While at it, define
the buffer length in a header file so that magic numbers don't appear
throughout the code.

When returning data to the host, the data length should be the min of
the wLength and the valid data we have to return. Currently we are
returning wLength, thus requests for a wLength greater than the amount
of data in the OS descriptor buffer would return invalid (albeit zero'd)
data following the valid descriptor data. Fix this by counting the
number of bytes when constructing the data and using this when
determining the length of the request.

Signed-off-by: default avatarChris Dickens <christopher.a.dickens@gmail.com>
Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
parent f3768997

drivers/usb/gadget/composite.c

+19 −21
Original line number Diff line number Diff line
@@ -1422,7 +1422,7 @@ static int count_ext_compat(struct usb_configuration *c) 
	return res;

}



static void fill_ext_compat(struct usb_configuration *c, u8 *buf)

static int fill_ext_compat(struct usb_configuration *c, u8 *buf)

{

	int i, count;
@@ -1449,10 +1449,12 @@ static void fill_ext_compat(struct usb_configuration *c, u8 *buf) 
				buf += 23;

			}

			count += 24;

			if (count >= 4096)

				return;

			if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ)

				return count;

		}

	}



	return count;

}



static int count_ext_prop(struct usb_configuration *c, int interface)
@@ -1497,25 +1499,20 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf) 
	struct usb_os_desc *d;

	struct usb_os_desc_ext_prop *ext_prop;

	int j, count, n, ret;

	u8 *start = buf;



	f = c->interface[interface];

	count = 10; /* header length */

	for (j = 0; j < f->os_desc_n; ++j) {

		if (interface != f->os_desc_table[j].if_id)

			continue;

		d = f->os_desc_table[j].os_desc;

		if (d)

			list_for_each_entry(ext_prop, &d->ext_prop, entry) {

				/* 4kB minus header length */

				n = buf - start;

				if (n >= 4086)

					return 0;



				count = ext_prop->data_len +

				n = ext_prop->data_len +

					ext_prop->name_len + 14;

				if (count > 4086 - n)

					return -EINVAL;

				usb_ext_prop_put_size(buf, count);

				if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ)

					return count;

				usb_ext_prop_put_size(buf, n);

				usb_ext_prop_put_type(buf, ext_prop->type);

				ret = usb_ext_prop_put_name(buf, ext_prop->name,

							    ext_prop->name_len);
@@ -1541,11 +1538,12 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf) 
				default:

					return -EINVAL;

				}

				buf += count;

				buf += n;

				count += n;

			}

	}



	return 0;

	return count;

}



/*
@@ -1827,6 +1825,7 @@ unknown: 
			req->complete = composite_setup_complete;

			buf = req->buf;

			os_desc_cfg = cdev->os_desc_config;

			w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ);

			memset(buf, 0, w_length);

			buf[5] = 0x01;

			switch (ctrl->bRequestType & USB_RECIP_MASK) {
@@ -1850,8 +1849,8 @@ unknown: 
					count += 16; /* header */

					put_unaligned_le32(count, buf);

					buf += 16;

					fill_ext_compat(os_desc_cfg, buf);

					value = w_length;

					value = fill_ext_compat(os_desc_cfg, buf);

					value = min_t(u16, w_length, value);

				}

				break;

			case USB_RECIP_INTERFACE:
@@ -1880,8 +1879,7 @@ unknown: 
							      interface, buf);

					if (value < 0)

						return value;



					value = w_length;

					value = min_t(u16, w_length, value);

				}

				break;

			}
@@ -2156,8 +2154,8 @@ int composite_os_desc_req_prepare(struct usb_composite_dev *cdev, 
		goto end;

	}



	/* OS feature descriptor length <= 4kB */

	cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL);

	cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ,

					 GFP_KERNEL);

	if (!cdev->os_desc_req->buf) {

		ret = -ENOMEM;

		usb_ep_free_request(ep0, cdev->os_desc_req);

include/linux/usb/composite.h

+3 −0
Original line number Diff line number Diff line
@@ -54,6 +54,9 @@ 
/* big enough to hold our biggest descriptor */

#define USB_COMP_EP0_BUFSIZ	1024



/* OS feature descriptor length <= 4kB */

#define USB_COMP_EP0_OS_DESC_BUFSIZ	4096



#define USB_MS_TO_HS_INTERVAL(x)	(ilog2((x * 1000 / 125)) + 1)

struct usb_configuration;

CRA Git | Maintained and supported by SUSTech CRA and CCSE