linux/drivers/usb/core
Hans de Goede 845d584f41 USB: devio: Revert "USB: devio: Don't corrupt user memory"
Taking the uurb->buffer_length userspace passes in as a maximum for the
actual urbs transfer_buffer_length causes 2 serious issues:

1) It breaks isochronous support for all userspace apps using libusb,
   as existing libusb versions pass in 0 for uurb->buffer_length,
   relying on the kernel using the lenghts of the usbdevfs_iso_packet_desc
   descriptors passed in added together as buffer length.

   This for example causes redirection of USB audio and Webcam's into
   virtual machines using qemu-kvm to no longer work. This is a userspace
   ABI break and as such must be reverted.

   Note that the original commit does not protect other users / the
   kernels memory, it only stops the userspace process making the call
   from shooting itself in the foot.

2) It may cause the kernel to program host controllers to DMA over random
   memory. Just as the devio code used to only look at the iso_packet_desc
   lenghts, the host drivers do the same, relying on the submitter of the
   urbs to make sure the entire buffer is large enough and not checking
   transfer_buffer_length.

   But the "USB: devio: Don't corrupt user memory" commit now takes the
   userspace provided uurb->buffer_length for the buffer-size while copying
   over the user-provided iso_packet_desc lengths 1:1, allowing the user
   to specify a small buffer size while programming the host controller to
   dma a lot more data.

   (Atleast the ohci, uhci, xhci and fhci drivers do not check
    transfer_buffer_length for isoc transfers.)

This reverts commit fa1ed74eb1 ("USB: devio: Don't corrupt user memory")
fixing both these issues.

Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-17 10:53:20 +02:00
..
buffer.c usb: separate out sysdev pointer from usb_bus 2017-03-23 08:20:21 +01:00
config.c USB: fix out-of-bounds in usb_set_configuration 2017-09-19 17:27:16 +02:00
devices.c usb: fix some references for /proc/bus/usb 2017-04-18 16:54:19 +02:00
devio.c USB: devio: Revert "USB: devio: Don't corrupt user memory" 2017-10-17 10:53:20 +02:00
driver.c usb: hub: Do not attempt to autosuspend disconnected devices 2017-03-23 08:13:22 +01:00
endpoint.c usb: patches for v4.10 merge window 2016-11-18 16:02:15 +01:00
file.c USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously 2017-03-29 11:55:25 +02:00
generic.c USB: core: add missing license information to some files 2016-10-29 12:51:56 -04:00
hcd-pci.c USB / PCI / PM: Allow the PCI core to do the resume cleanup 2017-06-15 00:55:43 +02:00
hcd.c Merge 4.13-rc5 into usb-next 2017-08-14 14:50:58 -07:00
hub.c usb: Increase quirk delay for USB devices 2017-09-18 11:28:23 +02:00
hub.h usb: Support USB 3.1 extended port status request 2016-01-24 20:16:52 -08:00
Kconfig docs-rst: fix usb cross-references 2017-04-11 14:41:29 -06:00
ledtrig-usbport.c usb: core: usbport: fix "BUG: key not in .data" when lockdep is enabled 2017-08-29 08:27:25 +02:00
Makefile usb: add CONFIG_USB_PCI for system have both PCI HW and non-PCI based USB HW 2017-03-17 13:16:56 +09:00
message.c USB: core: harden cdc_parse_cdc_header 2017-09-21 17:01:38 +02:00
notify.c USB: core: add missing license information to some files 2016-10-29 12:51:56 -04:00
of.c USB: of: document reference taken by child-lookup helper 2017-06-13 11:07:32 +02:00
otg_whitelist.h usb: core: use IS_ENABLED() instead of checking for built-in or module 2016-09-02 14:36:33 +02:00
port.c Revert "USB / PM: Allow USB devices to remain runtime-suspended when sleeping" 2016-05-02 08:44:31 -07:00
quirks.c usb: Add device quirk for Logitech HD Pro Webcam C920-C 2017-08-28 11:43:39 +02:00
sysfs.c usb: Convert to using %pOF instead of full_name 2017-07-22 15:56:53 +02:00
urb.c USB: core: replace %p with %pK 2017-05-17 11:27:41 +02:00
usb-acpi.c usb: optimize acpi companion search for usb port devices 2017-06-03 18:02:58 +09:00
usb.c USB: of: fix root-hub device-tree node handling 2017-06-13 11:07:32 +02:00
usb.h USB: core: add missing license information to some files 2016-10-29 12:51:56 -04:00