USB: core: Avoid WARNings for 0-length descriptor requests

Message ID 20210604161039.GI1676809@rowland.harvard.edu
State Superseded
Headers show
Series
  • USB: core: Avoid WARNings for 0-length descriptor requests
Related show

Commit Message

Alan Stern June 4, 2021, 4:10 p.m.
The USB core has utility routines to retrieve various types of
descriptors.  These routines will now provoke a WARN if they are asked
to retrieve 0 bytes (USB "receive" requests must not have zero
length), so avert this by checking the size argument at the start.

Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Johan Hovold <johan@kernel.org>

---


[as1962]


 drivers/usb/core/message.c |    4 ++++
 1 file changed, 4 insertions(+)

Comments

Peter Chen June 7, 2021, 2:31 a.m. | #1
On 21-06-04 12:10:39, Alan Stern wrote:
> The USB core has utility routines to retrieve various types of

> descriptors.  These routines will now provoke a WARN if they are asked

> to retrieve 0 bytes (USB "receive" requests must not have zero

> length), so avert this by checking the size argument at the start.

> 

> Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com

> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>

> CC: Johan Hovold <johan@kernel.org>

> 

> ---

> 

> 

> [as1962]

> 

> 

>  drivers/usb/core/message.c |    4 ++++

>  1 file changed, 4 insertions(+)

> 

> Index: usb-devel/drivers/usb/core/message.c

> ===================================================================

> --- usb-devel.orig/drivers/usb/core/message.c

> +++ usb-devel/drivers/usb/core/message.c

> @@ -783,6 +783,8 @@ int usb_get_descriptor(struct usb_device

>  	int i;

>  	int result;

>  

> +	if (size <= 0)		/* No point in asking for no data */

> +		return -EINVAL;


One blank line after if {}

>  	memset(buf, 0, size);	/* Make sure we parse really received data */

>  

>  	for (i = 0; i < 3; ++i) {

> @@ -832,6 +834,8 @@ static int usb_get_string(struct usb_dev

>  	int i;

>  	int result;

>  

> +	if (size <= 0)		/* No point in asking for no data */

> +		return -EINVAL;


One blank line after if {}

>  	for (i = 0; i < 3; ++i) {

>  		/* retry on length 0 or stall; some devices are flakey */

>  		result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),


-- 

Thanks,
Peter Chen
Johan Hovold June 7, 2021, 7:57 a.m. | #2
On Fri, Jun 04, 2021 at 12:10:39PM -0400, Alan Stern wrote:
> The USB core has utility routines to retrieve various types of

> descriptors.  These routines will now provoke a WARN if they are asked

> to retrieve 0 bytes (USB "receive" requests must not have zero

> length), so avert this by checking the size argument at the start.

> 

> Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com

> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>

> CC: Johan Hovold <johan@kernel.org>

> 

> ---

> 

> 

> [as1962]

> 

> 

>  drivers/usb/core/message.c |    4 ++++

>  1 file changed, 4 insertions(+)

> 

> Index: usb-devel/drivers/usb/core/message.c

> ===================================================================

> --- usb-devel.orig/drivers/usb/core/message.c

> +++ usb-devel/drivers/usb/core/message.c

> @@ -783,6 +783,8 @@ int usb_get_descriptor(struct usb_device

>  	int i;

>  	int result;

>  

> +	if (size <= 0)		/* No point in asking for no data */

> +		return -EINVAL;


I'd put a newline after the sanity checks as Peter suggested too, but
looks good otherwise so either way:

Reviewed-by: Johan Hovold <johan@kernel.org>


>  	memset(buf, 0, size);	/* Make sure we parse really received data */

>  

>  	for (i = 0; i < 3; ++i) {

> @@ -832,6 +834,8 @@ static int usb_get_string(struct usb_dev

>  	int i;

>  	int result;

>  

> +	if (size <= 0)		/* No point in asking for no data */

> +		return -EINVAL;

>  	for (i = 0; i < 3; ++i) {

>  		/* retry on length 0 or stall; some devices are flakey */

>  		result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),


Johan
Johan Hovold June 7, 2021, 3:26 p.m. | #3
On Mon, Jun 07, 2021 at 11:23:07AM -0400, Alan Stern wrote:
> The USB core has utility routines to retrieve various types of

> descriptors.  These routines will now provoke a WARN if they are asked

> to retrieve 0 bytes (USB "receive" requests must not have zero

> length), so avert this by checking the size argument at the start.

> 

> Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com

> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>

> CC: Johan Hovold <johan@kernel.org>

> 

> ---

> 

> v2: Added extra blank lines following the sanity tests.


Even better.

Reviewed-by: Johan Hovold <johan@kernel.org>


>  drivers/usb/core/message.c |    6 ++++++

>  1 file changed, 6 insertions(+)

> 

> Index: usb-devel/drivers/usb/core/message.c

> ===================================================================

> --- usb-devel.orig/drivers/usb/core/message.c

> +++ usb-devel/drivers/usb/core/message.c

> @@ -783,6 +783,9 @@ int usb_get_descriptor(struct usb_device

>  	int i;

>  	int result;

>  

> +	if (size <= 0)		/* No point in asking for no data */

> +		return -EINVAL;

> +

>  	memset(buf, 0, size);	/* Make sure we parse really received data */

>  

>  	for (i = 0; i < 3; ++i) {

> @@ -832,6 +835,9 @@ static int usb_get_string(struct usb_dev

>  	int i;

>  	int result;

>  

> +	if (size <= 0)		/* No point in asking for no data */

> +		return -EINVAL;

> +

>  	for (i = 0; i < 3; ++i) {

>  		/* retry on length 0 or stall; some devices are flakey */

>  		result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),

>

Patch

Index: usb-devel/drivers/usb/core/message.c
===================================================================
--- usb-devel.orig/drivers/usb/core/message.c
+++ usb-devel/drivers/usb/core/message.c
@@ -783,6 +783,8 @@  int usb_get_descriptor(struct usb_device
 	int i;
 	int result;
 
+	if (size <= 0)		/* No point in asking for no data */
+		return -EINVAL;
 	memset(buf, 0, size);	/* Make sure we parse really received data */
 
 	for (i = 0; i < 3; ++i) {
@@ -832,6 +834,8 @@  static int usb_get_string(struct usb_dev
 	int i;
 	int result;
 
+	if (size <= 0)		/* No point in asking for no data */
+		return -EINVAL;
 	for (i = 0; i < 3; ++i) {
 		/* retry on length 0 or stall; some devices are flakey */
 		result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),