Sun Jun 26 21:35:53 2022 UTC ()
umcs(4): Reject invalid interrupt endpoints.

Reported-by: syzbot+cd1e60e112e840e40d0a@syzkaller.appspotmail.com


(riastradh)
diff -r1.19 -r1.20 src/sys/dev/usb/umcs.c
cvs diff -r1.19 -r1.20 src/sys/dev/usb/umcs.c (expand / switch to unified diff)

--- src/sys/dev/usb/umcs.c 2022/04/19 01:35:28 1.19
+++ src/sys/dev/usb/umcs.c 2022/06/26 21:35:53 1.20
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: umcs.c,v 1.19 2022/04/19 01:35:28 riastradh Exp $ */ 1/* $NetBSD: umcs.c,v 1.20 2022/06/26 21:35:53 riastradh Exp $ */
2/* $FreeBSD: head/sys/dev/usb/serial/umcs.c 260559 2014-01-12 11:44:28Z hselasky $ */ 2/* $FreeBSD: head/sys/dev/usb/serial/umcs.c 260559 2014-01-12 11:44:28Z hselasky $ */
3 3
4/*- 4/*-
5 * Copyright (c) 2010 Lev Serebryakov <lev@FreeBSD.org>. 5 * Copyright (c) 2010 Lev Serebryakov <lev@FreeBSD.org>.
6 * All rights reserved. 6 * All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
10 * are met: 10 * are met:
11 * 1. Redistributions of source code must retain the above copyright 11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer. 12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright 13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the 14 * notice, this list of conditions and the following disclaimer in the
@@ -31,27 +31,27 @@ @@ -31,27 +31,27 @@
31 * This driver supports several multiport USB-to-RS232 serial adapters driven 31 * This driver supports several multiport USB-to-RS232 serial adapters driven
32 * by MosChip mos7820 and mos7840, bridge chips. 32 * by MosChip mos7820 and mos7840, bridge chips.
33 * The adapters are sold under many different brand names. 33 * The adapters are sold under many different brand names.
34 * 34 *
35 * Datasheets are available at MosChip www site at 35 * Datasheets are available at MosChip www site at
36 * http://www.moschip.com. The datasheets don't contain full 36 * http://www.moschip.com. The datasheets don't contain full
37 * programming information for the chip. 37 * programming information for the chip.
38 * 38 *
39 * It is nornal to have only two enabled ports in devices, based on 39 * It is nornal to have only two enabled ports in devices, based on
40 * quad-port mos7840. 40 * quad-port mos7840.
41 * 41 *
42 */ 42 */
43#include <sys/cdefs.h> 43#include <sys/cdefs.h>
44__KERNEL_RCSID(0, "$NetBSD: umcs.c,v 1.19 2022/04/19 01:35:28 riastradh Exp $"); 44__KERNEL_RCSID(0, "$NetBSD: umcs.c,v 1.20 2022/06/26 21:35:53 riastradh Exp $");
45 45
46#include <sys/param.h> 46#include <sys/param.h>
47#include <sys/systm.h> 47#include <sys/systm.h>
48#include <sys/atomic.h> 48#include <sys/atomic.h>
49#include <sys/kernel.h> 49#include <sys/kernel.h>
50#include <sys/conf.h> 50#include <sys/conf.h>
51#include <sys/tty.h> 51#include <sys/tty.h>
52#include <sys/device.h> 52#include <sys/device.h>
53#include <sys/kmem.h> 53#include <sys/kmem.h>
54 54
55#include <dev/usb/usb.h> 55#include <dev/usb/usb.h>
56#include <dev/usb/usbdi.h> 56#include <dev/usb/usbdi.h>
57#include <dev/usb/usbdi_util.h> 57#include <dev/usb/usbdi_util.h>
@@ -266,26 +266,32 @@ umcs7840_attach(device_t parent, device_ @@ -266,26 +266,32 @@ umcs7840_attach(device_t parent, device_
266 if (ed == NULL) continue; 266 if (ed == NULL) continue;
267 if (UE_GET_DIR(ed->bEndpointAddress) != UE_DIR_IN 267 if (UE_GET_DIR(ed->bEndpointAddress) != UE_DIR_IN
268 || UE_GET_XFERTYPE(ed->bmAttributes) != UE_INTERRUPT) 268 || UE_GET_XFERTYPE(ed->bmAttributes) != UE_INTERRUPT)
269 continue; 269 continue;
270 sc->sc_intr_buflen = UGETW(ed->wMaxPacketSize); 270 sc->sc_intr_buflen = UGETW(ed->wMaxPacketSize);
271 intr_addr = ed->bEndpointAddress; 271 intr_addr = ed->bEndpointAddress;
272 break; 272 break;
273 } 273 }
274 if (intr_addr < 0) { 274 if (intr_addr < 0) {
275 aprint_error_dev(self, "interrupt pipe not found\n"); 275 aprint_error_dev(self, "interrupt pipe not found\n");
276 sc->sc_dying = true; 276 sc->sc_dying = true;
277 return; 277 return;
278 } 278 }
 279 if (sc->sc_intr_buflen == 0) {
 280 aprint_error_dev(self, "invalid interrupt endpoint"
 281 " (addr %d)\n", intr_addr);
 282 sc->sc_dying = true;
 283 return;
 284 }
279 sc->sc_intr_buf = kmem_alloc(sc->sc_intr_buflen, KM_SLEEP); 285 sc->sc_intr_buf = kmem_alloc(sc->sc_intr_buflen, KM_SLEEP);
280 286
281 error = usbd_open_pipe_intr(sc->sc_iface, intr_addr, 287 error = usbd_open_pipe_intr(sc->sc_iface, intr_addr,
282 USBD_SHORT_XFER_OK, &sc->sc_intr_pipe, sc, sc->sc_intr_buf, 288 USBD_SHORT_XFER_OK, &sc->sc_intr_pipe, sc, sc->sc_intr_buf,
283 sc->sc_intr_buflen, umcs7840_intr, 100); 289 sc->sc_intr_buflen, umcs7840_intr, 100);
284 if (error) { 290 if (error) {
285 aprint_error_dev(self, "cannot open interrupt pipe " 291 aprint_error_dev(self, "cannot open interrupt pipe "
286 "(addr %d): error %d\n", intr_addr, error); 292 "(addr %d): error %d\n", intr_addr, error);
287 sc->sc_dying = true; 293 sc->sc_dying = true;
288 return; 294 return;
289 } 295 }
290 296
291 usb_init_task(&sc->sc_change_task, umcs7840_change_task, sc, 297 usb_init_task(&sc->sc_change_task, umcs7840_change_task, sc,