[src/trunk]: src/sys/dev/usb If we failed because we didn't encounter an endp...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/136070e3c548
branches:  trunk
changeset: 933946:136070e3c548
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sun May 31 17:52:58 2020 +0000

description:
If we failed because we didn't encounter an endpoint, do not attempt to
read 'ed', because its value is past the end of the buffer, and we thus
perform out-of-bounds accesses.

Detected thanks to vHCI+KASAN. First bug found by USB fuzzing.

Reported-by: syzbot+59e7f6b3f353584ac810%syzkaller.appspotmail.com@localhost

diffstat:

 sys/dev/usb/usb_subr.c |  19 +++++++++++++------
 1 files changed, 13 insertions(+), 6 deletions(-)

diffs (40 lines):

diff -r 50a99227a643 -r 136070e3c548 sys/dev/usb/usb_subr.c
--- a/sys/dev/usb/usb_subr.c    Sun May 31 17:45:02 2020 +0000
+++ b/sys/dev/usb/usb_subr.c    Sun May 31 17:52:58 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: usb_subr.c,v 1.244 2020/03/14 03:01:36 christos Exp $  */
+/*     $NetBSD: usb_subr.c,v 1.245 2020/05/31 17:52:58 maxv Exp $      */
 /*     $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $   */
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.244 2020/03/14 03:01:36 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.245 2020/05/31 17:52:58 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_compat_netbsd.h"
@@ -447,10 +447,17 @@
                                break;
                }
                /* passed end, or bad desc */
-               printf("usbd_fill_iface_data: bad descriptor(s): %s\n",
-                      ed->bLength == 0 ? "0 length" :
-                      ed->bDescriptorType == UDESC_INTERFACE ? "iface desc":
-                      "out of data");
+               if (p < end) {
+                       if (ed->bLength == 0) {
+                               printf("%s: bad descriptor: 0 length\n",
+                                   __func__);
+                       } else {
+                               printf("%s: bad descriptor: iface desc\n",
+                                   __func__);
+                       }
+               } else {
+                       printf("%s: no desc found\n", __func__);
+               }
                goto bad;
        found:
                ifc->ui_endpoints[endpt].ue_edesc = ed;