Lines Matching +full:usb +full:- +full:c
4 Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious
8 no out-of-bound checking to prevent a malicious USB device to report large
11 Fixes: CVE-2020-25647
13 Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com>
14 Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
15 Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
16 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17 Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
18 ---
19 grub-core/bus/usb/usb.c | 15 ++++++++++++---
20 include/grub/usb.h | 10 +++++++---
21 2 files changed, 19 insertions(+), 6 deletions(-)
23 diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
25 --- a/grub-core/bus/usb/usb.c
26 +++ b/grub-core/bus/usb/usb.c
27 @@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
34 dev->toggle[endpoint] = 0;
37 @@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
39 descdev = &dev->descdev;
41 - for (i = 0; i < 8; i++)
43 dev->config[i].descconf = NULL;
45 - if (descdev->configcnt == 0)
46 + if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
50 @@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
52 pos = dev->config[i].descconf->length;
54 + if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
61 for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
63 @@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
67 - for (i = 0; i < 8; i++)
69 grub_free (dev->config[i].descconf);
72 diff --git a/include/grub/usb.h b/include/grub/usb.h
74 --- a/include/grub/usb.h
75 +++ b/include/grub/usb.h
76 @@ -23,6 +23,10 @@
87 @@ -167,7 +171,7 @@ struct grub_usb_configuration
91 - struct grub_usb_interface interf[32];
96 @@ -191,7 +195,7 @@ struct grub_usb_device
100 - struct grub_usb_configuration config[8];
105 @@ -203,7 +207,7 @@ struct grub_usb_device
109 - int toggle[256];
114 --