From patchwork Thu Nov 2 13:52:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Konovalov X-Patchwork-Id: 10038773 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 51647603B5 for ; Thu, 2 Nov 2017 13:52:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 446C928FE8 for ; Thu, 2 Nov 2017 13:52:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3902828FFC; Thu, 2 Nov 2017 13:52:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,RCVD_IN_SORBS_SPAM autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D006A28FE8 for ; Thu, 2 Nov 2017 13:52:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755767AbdKBNwg (ORCPT ); Thu, 2 Nov 2017 09:52:36 -0400 Received: from mail-wr0-f195.google.com ([209.85.128.195]:54284 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755566AbdKBNwe (ORCPT ); Thu, 2 Nov 2017 09:52:34 -0400 Received: by mail-wr0-f195.google.com with SMTP id o44so5076540wrf.11 for ; Thu, 02 Nov 2017 06:52:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=OB6yUucTiWJ51Q59K1Luuxc98i1LD9xcmF2Px3N7dJo=; b=M0W6yleyo0qC8Ytwi+LUrCBWXMDbXJbqcuFZnVsTAGCe9UfbanGKOFe5o6HsENHH42 wIkQA1ChLnaaaQ9z9x9rrKhabhcSmEQhHvnzv/AlJ9h8+JidD84PFwtd+ooVyjvXeBKj QNkDtAtcf5+Tt4Jku570sGKUeCWLr7CPpFwbkHDltWV/ctCA57b7WtYQlCb1kKMVkg53 Y41irgvLEBenf6lpe3Ds75GXg4OgWLtcDt/EQCcv2QION5iuj7k5lcQiKn5RPuOFobLr cbeERkAaddqw2XXSl89IIAWR1E9Jv1nWIk5azBRWdh1gjwh5NtM74X2M2TzuJ1s5NOTr XzYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=OB6yUucTiWJ51Q59K1Luuxc98i1LD9xcmF2Px3N7dJo=; b=S00aKfajkKuqVOTTfjA7QQBCmQmegyM6o6E87GR1jcOkkm+/MdQ8sHomkVHBnHCkUr IxJs0vS1Xfr1tjZ/7rt9KO+D55AKXQZT+nU1u31asA7Ijkl0QCTL9B2cKc9sfgzw/9RY MEQvmA78Cdsd1WU5TUWKsY4jPyrpxpeCF1S7UyAIUhWaF7TsWAGflttT7LV7q3Ugl/19 NLyIBA5+4JxnZ+T2mOEDeoYaBsoMNiPH3zwZVf6ZIQrd4tt3Y5lOlIqrThqtpWmqa6BQ VaaKxz8MTQ/QOhnvmAy0iFvF9C1qpinHe0kn0Hsfx/IkGJ2MvIMGeMqDXMYKzvYE0Huc NUWA== X-Gm-Message-State: AMCzsaURHZ6F8DjJ51nszgVEApIQ6R4PQF9/JUYliwFzRcJng3h83rZM E6fls2W7HbBSvfnha1fS4zAigg== X-Google-Smtp-Source: ABhQp+Td5m8wOpoJl3mfR34V8i8A5eiQIBo2leKDEcOomtGz7aSXN0wKrYi9f8IAu2Kov60zRspyEQ== X-Received: by 10.223.172.228 with SMTP id o91mr3110625wrc.197.1509630753302; Thu, 02 Nov 2017 06:52:33 -0700 (PDT) Received: from andreyknvl0.muc.corp.google.com ([100.105.28.157]) by smtp.gmail.com with ESMTPSA id k13sm6577895wrd.95.2017.11.02.06.52.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Nov 2017 06:52:32 -0700 (PDT) Received: by andreyknvl0.muc.corp.google.com (Postfix, from userid 206546) id 5020D180BAD; Thu, 2 Nov 2017 14:52:31 +0100 (CET) From: Andrey Konovalov To: Mike Isely , Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dmitry Vyukov , Kostya Serebryany , Andrey Konovalov Subject: [PATCH] media: pvrusb2: properly check endpoint types Date: Thu, 2 Nov 2017 14:52:27 +0100 Message-Id: <33aff2c8fed7ea8fb30c58b5a255a4e8a0aad6d5.1509630639.git.andreyknvl@google.com> X-Mailer: git-send-email 2.15.0.403.gc27cc4dac6-goog Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP As syzkaller detected, pvrusb2 driver submits bulk urb withount checking the the endpoint type is actually blunk. Add a check. usb 1-1: BOGUS urb xfer, pipe 3 != type 1 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 2713 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0 Modules linked in: CPU: 1 PID: 2713 Comm: pvrusb2-context Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #210 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88006b7a18c0 task.stack: ffff880069978000 RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448 RSP: 0018:ffff88006997f990 EFLAGS: 00010286 RAX: 0000000000000029 RBX: ffff880063661900 RCX: 0000000000000000 RDX: 0000000000000029 RSI: ffffffff86876d60 RDI: ffffed000d32ff24 RBP: ffff88006997fa90 R08: 1ffff1000d32fdca R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000d32ff39 R13: 0000000000000001 R14: 0000000000000003 R15: ffff880068bbed68 FS: 0000000000000000(0000) GS:ffff88006c600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000001032000 CR3: 000000006a0ff000 CR4: 00000000000006f0 Call Trace: pvr2_send_request_ex+0xa57/0x1d80 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:3645 pvr2_hdw_check_firmware drivers/media/usb/pvrusb2/pvrusb2-hdw.c:1812 pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2107 pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2250 pvr2_hdw_initialize+0x548/0x3c10 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2327 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:118 pvr2_context_thread_func+0x361/0x8c0 drivers/media/usb/pvrusb2/pvrusb2-context.c:167 kthread+0x3a1/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 ee 82 89 fe 45 89 e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 40 c0 ea 86 e8 30 1b dc fc <0f> ff e9 9b f7 ff ff e8 aa 95 25 fd e9 80 f7 ff ff e8 50 74 f3 ---[ end trace 6919030503719da6 ]--- Signed-off-by: Andrey Konovalov --- drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c index ad5b25b89699..44975061b953 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c @@ -3642,6 +3642,12 @@ static int pvr2_send_request_ex(struct pvr2_hdw *hdw, hdw); hdw->ctl_write_urb->actual_length = 0; hdw->ctl_write_pend_flag = !0; + if (usb_urb_ep_type_check(hdw->ctl_write_urb)) { + pvr2_trace( + PVR2_TRACE_ERROR_LEGS, + "Invalid write control endpoint"); + return -EINVAL; + } status = usb_submit_urb(hdw->ctl_write_urb,GFP_KERNEL); if (status < 0) { pvr2_trace(PVR2_TRACE_ERROR_LEGS, @@ -3666,6 +3672,12 @@ status); hdw); hdw->ctl_read_urb->actual_length = 0; hdw->ctl_read_pend_flag = !0; + if (usb_urb_ep_type_check(hdw->ctl_read_urb)) { + pvr2_trace( + PVR2_TRACE_ERROR_LEGS, + "Invalid read control endpoint"); + return -EINVAL; + } status = usb_submit_urb(hdw->ctl_read_urb,GFP_KERNEL); if (status < 0) { pvr2_trace(PVR2_TRACE_ERROR_LEGS,