Patch "USB: devio: Don't corrupt user memory" has been added to the 4.4-stable tree

Patch "USB: devio: Don't corrupt user memory" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    USB: devio: Don't corrupt user memory

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-devio-don-t-corrupt-user-memory.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From fa1ed74eb1c233be6131ec92df21ab46499a15b6 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 22 Sep 2017 23:43:46 +0300
Subject: USB: devio: Don't corrupt user memory

From: Dan Carpenter <dan.carpenter@oracle.com>

commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream.

The user buffer has "uurb->buffer_length" bytes.  If the kernel has more
information than that, we should truncate it instead of writing past
the end of the user's buffer.  I added a WARN_ONCE() to help the user
debug the issue.

Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/devio.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1417,7 +1417,11 @@ static int proc_do_submiturb(struct usb_
 			totlen += isopkt[u].length;
 		}
 		u *= sizeof(struct usb_iso_packet_descriptor);
-		uurb->buffer_length = totlen;
+		if (totlen <= uurb->buffer_length)
+			uurb->buffer_length = totlen;
+		else
+			WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
+				  totlen, uurb->buffer_length);
 		break;
 
 	default:


Patches currently in stable-queue which might be from dan.carpenter@oracle.com are

queue-4.4/usb-devio-don-t-corrupt-user-memory.patch

Re: Patch "USB: devio: Don't corrupt user memory" has been added to the 4.4-stable tree

[Ben Hutchings]

On Mon, 2017-10-09 at 13:31 +0200, gregkh@linuxfoundation.org wrote:
[...]
> From: Dan Carpenter <dan.carpenter@oracle.com>
> 
> commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream.
> 
> The user buffer has "uurb->buffer_length" bytes.  If the kernel has more
> information than that, we should truncate it instead of writing past
> the end of the user's buffer.  I added a WARN_ONCE() to help the user
> debug the issue.
[...]

Users should not be able to provoke a WARN_ON at will, that's a DoS
(log spam, possible panic).

And this truncated user buffer length is also used for allocation of
the kernel buffer.  Are you totally sure that this can't result in a
kernel buffer overrun (or leak)?

This fix seems worse than continuing to allow userspace to shoot itself
in the foot.

Ben.

-- 
Ben Hutchings
Software Developer, Codethink Ltd.

Re: Patch "USB: devio: Don't corrupt user memory" has been added to the 4.4-stable tree

[Dan Carpenter]

On Tue, Oct 17, 2017 at 03:36:10PM +0100, Ben Hutchings wrote:
> On Mon, 2017-10-09 at 13:31 +0200, gregkh@linuxfoundation.org wrote:
> [...]
> > From: Dan Carpenter <dan.carpenter@oracle.com>
> > 
> > commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream.
> > 
> > The user buffer has "uurb->buffer_length" bytes.��If the kernel has more
> > information than that, we should truncate it instead of writing past
> > the end of the user's buffer.��I added a WARN_ONCE() to help the user
> > debug the issue.
> [...]
> 
> Users should not be able to provoke a WARN_ON at will, that's a DoS
> (log spam, possible panic).
> 
> And this truncated user buffer length is also used for allocation of
> the kernel buffer.  Are you totally sure that this can't result in a
> kernel buffer overrun (or leak)?
> 
> This fix seems worse than continuing to allow userspace to shoot itself
> in the foot.
> 

We don't want to add this because it breaks API and does actually lead
to a leak.  But it was a WARN_ONCE() not, a WARN_ON() so that part was
ok.  Probably it helped find the bug in my code.

regards,
dan carpenter

Re: Patch "USB: devio: Don't corrupt user memory" has been added to the 4.4-stable tree

[Greg Kroah-Hartman]

On Tue, Oct 17, 2017 at 03:36:10PM +0100, Ben Hutchings wrote:
> On Mon, 2017-10-09 at 13:31 +0200, gregkh@linuxfoundation.org wrote:
> [...]
> > From: Dan Carpenter <dan.carpenter@oracle.com>
> > 
> > commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream.
> > 
> > The user buffer has "uurb->buffer_length" bytes.��If the kernel has more
> > information than that, we should truncate it instead of writing past
> > the end of the user's buffer.��I added a WARN_ONCE() to help the user
> > debug the issue.
> [...]
> 
> Users should not be able to provoke a WARN_ON at will, that's a DoS
> (log spam, possible panic).
> 
> And this truncated user buffer length is also used for allocation of
> the kernel buffer.  Are you totally sure that this can't result in a
> kernel buffer overrun (or leak)?
> 
> This fix seems worse than continuing to allow userspace to shoot itself
> in the foot.

A fix reverting this has gone into my tree right now, and will get to
Linus real-soon, to fix this issue.

thanks,

greg k-h