| Message ID | 20210604161039.GI1676809@rowland.harvard.edu (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | USB: core: Avoid WARNings for 0-length descriptor requests | expand |
On 21-06-04 12:10:39, Alan Stern wrote: > The USB core has utility routines to retrieve various types of > descriptors. These routines will now provoke a WARN if they are asked > to retrieve 0 bytes (USB "receive" requests must not have zero > length), so avert this by checking the size argument at the start. > > Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com > Signed-off-by: Alan Stern <stern@rowland.harvard.edu> > CC: Johan Hovold <johan@kernel.org> > > --- > > > [as1962] > > > drivers/usb/core/message.c | 4 ++++ > 1 file changed, 4 insertions(+) > > Index: usb-devel/drivers/usb/core/message.c > =================================================================== > --- usb-devel.orig/drivers/usb/core/message.c > +++ usb-devel/drivers/usb/core/message.c > @@ -783,6 +783,8 @@ int usb_get_descriptor(struct usb_device > int i; > int result; > > + if (size <= 0) /* No point in asking for no data */ > + return -EINVAL; One blank line after if {} > memset(buf, 0, size); /* Make sure we parse really received data */ > > for (i = 0; i < 3; ++i) { > @@ -832,6 +834,8 @@ static int usb_get_string(struct usb_dev > int i; > int result; > > + if (size <= 0) /* No point in asking for no data */ > + return -EINVAL; One blank line after if {} > for (i = 0; i < 3; ++i) { > /* retry on length 0 or stall; some devices are flakey */ > result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
On Fri, Jun 04, 2021 at 12:10:39PM -0400, Alan Stern wrote: > The USB core has utility routines to retrieve various types of > descriptors. These routines will now provoke a WARN if they are asked > to retrieve 0 bytes (USB "receive" requests must not have zero > length), so avert this by checking the size argument at the start. > > Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com > Signed-off-by: Alan Stern <stern@rowland.harvard.edu> > CC: Johan Hovold <johan@kernel.org> > > --- > > > [as1962] > > > drivers/usb/core/message.c | 4 ++++ > 1 file changed, 4 insertions(+) > > Index: usb-devel/drivers/usb/core/message.c > =================================================================== > --- usb-devel.orig/drivers/usb/core/message.c > +++ usb-devel/drivers/usb/core/message.c > @@ -783,6 +783,8 @@ int usb_get_descriptor(struct usb_device > int i; > int result; > > + if (size <= 0) /* No point in asking for no data */ > + return -EINVAL; I'd put a newline after the sanity checks as Peter suggested too, but looks good otherwise so either way: Reviewed-by: Johan Hovold <johan@kernel.org> > memset(buf, 0, size); /* Make sure we parse really received data */ > > for (i = 0; i < 3; ++i) { > @@ -832,6 +834,8 @@ static int usb_get_string(struct usb_dev > int i; > int result; > > + if (size <= 0) /* No point in asking for no data */ > + return -EINVAL; > for (i = 0; i < 3; ++i) { > /* retry on length 0 or stall; some devices are flakey */ > result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), Johan
Index: usb-devel/drivers/usb/core/message.c =================================================================== --- usb-devel.orig/drivers/usb/core/message.c +++ usb-devel/drivers/usb/core/message.c @@ -783,6 +783,8 @@ int usb_get_descriptor(struct usb_device int i; int result; + if (size <= 0) /* No point in asking for no data */ + return -EINVAL; memset(buf, 0, size); /* Make sure we parse really received data */ for (i = 0; i < 3; ++i) { @@ -832,6 +834,8 @@ static int usb_get_string(struct usb_dev int i; int result; + if (size <= 0) /* No point in asking for no data */ + return -EINVAL; for (i = 0; i < 3; ++i) { /* retry on length 0 or stall; some devices are flakey */ result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
The USB core has utility routines to retrieve various types of descriptors. These routines will now provoke a WARN if they are asked to retrieve 0 bytes (USB "receive" requests must not have zero length), so avert this by checking the size argument at the start. Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com Signed-off-by: Alan Stern <stern@rowland.harvard.edu> CC: Johan Hovold <johan@kernel.org> --- [as1962] drivers/usb/core/message.c | 4 ++++ 1 file changed, 4 insertions(+)