From: Oliver Neukum <oneukum@suse.com>
To: sathyanarayanan.kuppuswamy@linux.intel.com,
Greg KH <gregkh@linuxfoundation.org>
Cc: johan@kernel.org, linux-kernel@vger.kernel.org,
linux-usb@vger.kernel.org
Subject: [v1,1/1] USB: serial: Add boundry check for read_urbs array access
Date: Thu, 08 Mar 2018 09:54:57 +0100 [thread overview]
Message-ID: <1520499297.2983.3.camel@suse.com> (raw)
Am Mittwoch, den 07.03.2018, 13:41 -0800 schrieb sathyanarayanan
kuppuswamy :
>
> On 03/07/2018 12:58 PM, Greg KH wrote:
> > So I don't see why your check is needed, what other code path would ever
> > call this function in a way that the bounds check would be needed?
> void usb_serial_generic_read_bulk_callback(struct urb *urb)
>
> 385 for (i = 0; i < ARRAY_SIZE(port->read_urbs); ++i) {
> 386 if (urb == port->read_urbs[i])
> 387 break;
> 388 }
>
> In here, after this for loop is done (without any matching urb), i value
> will be equal to ARRAY_SIZE(port->read_urbs). So there is a possibility
> of usb_serial_generic_submit_read_urb() getting called with this invalid
> index.
If this happens the function was called for a stray URB.
Your check comes to late. We have called set_bit with an invalid index
and other shit.
We definitely do not just want to return an error in that case.
Regards
Oliver
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Oliver Neukum <oneukum@suse.com>
To: sathyanarayanan.kuppuswamy@linux.intel.com,
Greg KH <gregkh@linuxfoundation.org>
Cc: johan@kernel.org, linux-kernel@vger.kernel.org,
linux-usb@vger.kernel.org
Subject: Re: [PATCH v1 1/1] USB: serial: Add boundry check for read_urbs array access
Date: Thu, 08 Mar 2018 09:54:57 +0100 [thread overview]
Message-ID: <1520499297.2983.3.camel@suse.com> (raw)
In-Reply-To: <0055f93b-8497-5dfc-4233-9cc72bf690fc@linux.intel.com>
Am Mittwoch, den 07.03.2018, 13:41 -0800 schrieb sathyanarayanan
kuppuswamy :
>
> On 03/07/2018 12:58 PM, Greg KH wrote:
> > So I don't see why your check is needed, what other code path would ever
> > call this function in a way that the bounds check would be needed?
> void usb_serial_generic_read_bulk_callback(struct urb *urb)
>
> 385 for (i = 0; i < ARRAY_SIZE(port->read_urbs); ++i) {
> 386 if (urb == port->read_urbs[i])
> 387 break;
> 388 }
>
> In here, after this for loop is done (without any matching urb), i value
> will be equal to ARRAY_SIZE(port->read_urbs). So there is a possibility
> of usb_serial_generic_submit_read_urb() getting called with this invalid
> index.
If this happens the function was called for a stray URB.
Your check comes to late. We have called set_bit with an invalid index
and other shit.
We definitely do not just want to return an error in that case.
Regards
Oliver
next reply other threads:[~2018-03-08 8:54 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-08 8:54 Oliver Neukum [this message]
2018-03-08 8:54 ` [PATCH v1 1/1] USB: serial: Add boundry check for read_urbs array access Oliver Neukum
-- strict thread matches above, loose matches on Subject: below --
2018-03-09 0:34 [v1,1/1] " sathyanarayanan.kuppuswamy
2018-03-09 0:34 ` [PATCH v1 1/1] " sathyanarayanan kuppuswamy
2018-03-08 23:43 [v1,1/1] " Greg Kroah-Hartman
2018-03-08 23:43 ` [PATCH v1 1/1] " Greg KH
2018-03-08 23:29 [v1,1/1] " sathyanarayanan.kuppuswamy
2018-03-08 23:29 ` [PATCH v1 1/1] " sathyanarayanan kuppuswamy
2018-03-08 14:01 [v1,1/1] " Greg Kroah-Hartman
2018-03-08 14:01 ` [PATCH v1 1/1] " Greg KH
2018-03-07 21:41 [v1,1/1] " sathyanarayanan.kuppuswamy
2018-03-07 21:41 ` [PATCH v1 1/1] " sathyanarayanan kuppuswamy
2018-03-07 20:58 [v1,1/1] " Greg Kroah-Hartman
2018-03-07 20:58 ` [PATCH v1 1/1] " Greg KH
2018-03-07 20:23 [v1,1/1] " sathyanarayanan.kuppuswamy
2018-03-07 20:23 ` [PATCH v1 1/1] " sathyanarayanan.kuppuswamy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1520499297.2983.3.camel@suse.com \
--to=oneukum@suse.com \
--cc=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.