From 3894590c3d2be5fee0fdec47bfc37b5302ad54a4 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Wed, 19 Dec 2018 13:37:06 +0100
Subject: [PATCH] Revert "USB: check usb_get_extra_descriptor for proper size"
Patch-mainline: Never (revert for kAPI reasons)
References: bsc#1119714 CVE-2018-20169
This reverts commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/usb/core/hub.c | 2 +-
drivers/usb/core/usb.c | 6 +++---
drivers/usb/host/hwa-hc.c | 2 +-
include/linux/usb.h | 4 ++--
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index f76b2e0aba9d..528664059a12 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2251,7 +2251,7 @@ static int usb_enumerate_device_otg(struct usb_device *udev)
/* descriptor may appear anywhere in config */
err = __usb_get_extra_descriptor(udev->rawdescriptors[0],
le16_to_cpu(udev->config[0].desc.wTotalLength),
- USB_DT_OTG, (void **) &desc, sizeof(*desc));
+ USB_DT_OTG, (void **) &desc);
if (err || !(desc->bmAttributes & USB_OTG_HNP))
return 0;
diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
index 4ebfbd737905..79d8bd7a612e 100644
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -832,14 +832,14 @@ EXPORT_SYMBOL_GPL(usb_get_current_frame_number);
*/
int __usb_get_extra_descriptor(char *buffer, unsigned size,
- unsigned char type, void **ptr, size_t minsize)
+ unsigned char type, void **ptr)
{
struct usb_descriptor_header *header;
while (size >= sizeof(struct usb_descriptor_header)) {
header = (struct usb_descriptor_header *)buffer;
- if (header->bLength < 2 || header->bLength > size) {
+ if (header->bLength < 2) {
printk(KERN_ERR
"%s: bogus descriptor, type %d length %d\n",
usbcore_name,
@@ -848,7 +848,7 @@ int __usb_get_extra_descriptor(char *buffer, unsigned size,
return -1;
}
- if (header->bDescriptorType == type && header->bLength >= minsize) {
+ if (header->bDescriptorType == type) {
*ptr = header;
return 0;
}
diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
index 09a8ebd95588..684d6f074c3a 100644
--- a/drivers/usb/host/hwa-hc.c
+++ b/drivers/usb/host/hwa-hc.c
@@ -640,7 +640,7 @@ static int hwahc_security_create(struct hwahc *hwahc)
top = itr + itr_size;
result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index],
le16_to_cpu(usb_dev->actconfig->desc.wTotalLength),
- USB_DT_SECURITY, (void **) &secd, sizeof(*secd));
+ USB_DT_SECURITY, (void **) &secd);
if (result == -1) {
dev_warn(dev, "BUG? WUSB host has no security descriptors\n");
return 0;
diff --git a/include/linux/usb.h b/include/linux/usb.h
index 5e49e82c4368..4cdd515a4385 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -407,11 +407,11 @@ struct usb_host_bos {
};
int __usb_get_extra_descriptor(char *buffer, unsigned size,
- unsigned char type, void **ptr, size_t min);
+ unsigned char type, void **ptr);
#define usb_get_extra_descriptor(ifpoint, type, ptr) \
__usb_get_extra_descriptor((ifpoint)->extra, \
(ifpoint)->extralen, \
- type, (void **)ptr, sizeof(**(ptr)))
+ type, (void **)ptr)
/* ----------------------------------------------------------------------- */
--
2.16.4