[src/netbsd-8]: src/sys/dev/usb Pull up following revision(s) (requested by k...

[snj <snj%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/f635dda9b425
branches:  netbsd-8
changeset: 434500:f635dda9b425
user:      snj <snj%NetBSD.org@localhost>
date:      Thu Dec 21 21:32:10 2017 +0000

description:
Pull up following revision(s) (requested by khorben in ticket #447):
        sys/dev/usb/usb_subr.c: revision 1.222
Be more defensive towards malicious USB devices
This avoids potential panics due to 0-sized memory allocation attempts,
which could be triggered by malicious USB devices.
Tested on NetBSD/amd64 with a Sony Xperia X (SailfishOS).
Based on an initial patch by Nick Hudson <skrll%NetBSD.org@localhost>, thanks!
Fixes PR kern/52383.

diffstat:

 sys/dev/usb/usb_subr.c |  18 ++++++++++++++++--
 1 files changed, 16 insertions(+), 2 deletions(-)

diffs (53 lines):

diff -r f7a5f6baabab -r f635dda9b425 sys/dev/usb/usb_subr.c
--- a/sys/dev/usb/usb_subr.c    Thu Dec 21 21:08:13 2017 +0000
+++ b/sys/dev/usb/usb_subr.c    Thu Dec 21 21:32:10 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: usb_subr.c,v 1.220.2.1 2017/11/02 21:29:52 snj Exp $   */
+/*     $NetBSD: usb_subr.c,v 1.220.2.2 2017/12/21 21:32:10 snj Exp $   */
 /*     $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $   */
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.220.2.1 2017/11/02 21:29:52 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.220.2.2 2017/12/21 21:32:10 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_compat_netbsd.h"
@@ -609,6 +609,10 @@
                return err;
        }
        len = UGETW(cd.wTotalLength);
+       if (len == 0) {
+               DPRINTF("empty short descriptor", 0, 0, 0, 0);
+               return USBD_INVAL;
+       }
        cdp = kmem_alloc(len, KM_SLEEP);
 
        /* Get the full descriptor.  Try a few times for slow devices. */
@@ -635,6 +639,11 @@
                err = usbd_get_bos_desc(dev, index, &bd);
                if (!err) {
                        int blen = UGETW(bd.wTotalLength);
+                       if (blen == 0) {
+                               DPRINTF("empty bos descriptor", 0, 0, 0, 0);
+                               err = USBD_INVAL;
+                               goto bad;
+                       }
                        bdp = kmem_alloc(blen, KM_SLEEP);
 
                        /* Get the full desc */
@@ -724,6 +733,11 @@
 
        /* Allocate and fill interface data. */
        nifc = cdp->bNumInterface;
+       if (nifc == 0) {
+               DPRINTF("no interfaces", 0, 0, 0, 0);
+               err = USBD_INVAL;
+               goto bad;
+       }
        dev->ud_ifaces = kmem_alloc(nifc * sizeof(struct usbd_interface),
            KM_SLEEP);
        DPRINTFN(5, "dev=%#jx cdesc=%#jx", (uintptr_t)dev, (uintptr_t)cdp,