From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
Andrey Konovalov <andreyknvl@google.com>,
Felipe Balbi <felipe.balbi@linux.intel.com>
Subject: [PATCH 4.4 012/101] USB: gadgetfs: fix unbounded memory allocation bug
Date: Tue, 10 Jan 2017 14:36:25 +0100 [thread overview]
Message-ID: <20170110131523.017359630@linuxfoundation.org> (raw)
In-Reply-To: <20170110131522.493717794@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream.
Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN warning in gadgetfs:
BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
Write of size 65537 by task syz-executor0/6356
CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
[< inline >] print_address_description mm/kasan/report.c:197
[<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
[<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
[< inline >] check_memory_region_inline mm/kasan/kasan.c:308
[<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
[<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
[< inline >] copy_from_user arch/x86/include/asm/uaccess.h:689
[< inline >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
[<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
[<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
[<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
[< inline >] SYSC_write fs/read_write.c:607
[<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
[<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.
This patch fixes the warning. It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/legacy/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1125,7 +1125,7 @@ ep0_write (struct file *fd, const char _
/* data and/or status stage for control request */
} else if (dev->state == STATE_DEV_SETUP) {
- /* IN DATA+STATUS caller makes len <= wLength */
+ len = min_t(size_t, len, dev->setup_wLength);
if (dev->setup_in) {
retval = setup_req (dev->gadget->ep0, dev->req, len);
if (retval == 0) {
next prev parent reply other threads:[~2017-01-10 13:38 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170110134113epcas3p4f03897bb91bfb9896af546cda8d12e7e@epcas3p4.samsung.com>
2017-01-10 13:36 ` [PATCH 4.4 000/101] 4.4.42-stable review Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 001/101] ALSA: hda - Fix up GPIO for ASUS ROG Ranger Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 002/101] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 003/101] ALSA: usb-audio: Fix irq/process data synchronization Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 004/101] ARM: davinci: da850: dont add emac clock to lookup table twice Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 005/101] mac80211: initialize fast-xmit info later Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 006/101] KVM: x86: reset MMU on KVM_SET_VCPU_EVENTS Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 007/101] KVM: MIPS: Flush KVM entry code from icache globally Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 008/101] usb: musb: core: add clear_ep_rxintr() to musb_platform_ops Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 009/101] usb: musb: dsps: implement clear_ep_rxintr() callback Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 010/101] usb: storage: unusual_uas: Add JMicron JMS56x to unusual device Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 011/101] usb: gadgetfs: restrict upper bound on device configuration size Greg Kroah-Hartman
2017-01-10 13:36 ` Greg Kroah-Hartman [this message]
2017-01-10 13:36 ` [PATCH 4.4 013/101] USB: gadgetfs: fix use-after-free bug Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 014/101] USB: gadgetfs: fix checks of wTotalLength in config descriptors Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 015/101] USB: fix problems with duplicate endpoint addresses Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 016/101] USB: dummy-hcd: fix bug in stop_activity (handle ep0) Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 017/101] usb: gadget: composite: Test get_alt() presence instead of set_alt() Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 018/101] usb: dwc3: core: avoid Overflow events Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 019/101] usb: xhci: fix possible wild pointer Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 020/101] xhci: workaround for hosts missing CAS bit Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 021/101] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 022/101] xhci: free xhci virtual devices with leaf nodes first Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 023/101] usb: xhci: fix return value of xhci_setup_device() Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 024/101] usb: host: xhci: Fix possible wild pointer when handling abort command Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 025/101] xhci: Handle command completion and timeout race Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 026/101] usb: xhci: hold lock over xhci_abort_cmd_ring() Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 027/101] USB: serial: omninet: fix NULL-derefs at open and disconnect Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 028/101] USB: serial: quatech2: fix sleep-while-atomic in close Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 029/101] USB: serial: pl2303: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 030/101] USB: serial: keyspan_pda: verify endpoints at probe Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 031/101] USB: serial: spcp8x5: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 032/101] USB: serial: io_ti: " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 033/101] USB: serial: io_ti: fix another " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 034/101] USB: serial: io_ti: fix I/O after disconnect Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 035/101] USB: serial: iuu_phoenix: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 036/101] USB: serial: garmin_gps: fix memory leak on failed URB submit Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 037/101] USB: serial: ti_usb_3410_5052: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 038/101] USB: serial: io_edgeport: " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 039/101] USB: serial: oti6858: " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 040/101] USB: serial: cyberjack: " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 041/101] USB: serial: kobil_sct: fix NULL-deref in write Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 042/101] USB: serial: mos7840: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 043/101] USB: serial: mos7720: " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 044/101] USB: serial: mos7720: fix use-after-free on probe errors Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 045/101] USB: serial: mos7720: fix parport " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 046/101] USB: serial: mos7720: fix parallel probe Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 047/101] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 048/101] xhci: Use delayed_work instead of timer for command timeout Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 049/101] xhci: Fix race related to abort operation Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 050/101] usb: dwc3: pci: add Intel Gemini Lake PCI ID Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 051/101] usb: musb: Fix trying to free already-free IRQ 4 Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 054/101] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 055/101] USB: serial: kl5kusb105: abort on open exception path Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 056/101] ARM: dts: r8a7794: Correct hsusb parent clock Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 057/101] USB: phy: am335x-control: fix device and of_node leaks Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 058/101] USB: serial: io_ti: bind to interface after fw download Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 059/101] mei: bus: fix mei_cldev_enable KDoc Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 060/101] staging: iio: ad7606: fix improper setting of oversampling pins Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 061/101] usb: dwc3: gadget: always unmap EP0 requests Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 062/101] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 063/101] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 064/101] stable-fixup: hotplug: fix unused function warning Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 065/101] ath10k: use the right length of "background" Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 066/101] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 067/101] hwmon: (scpi) Fix module autoload Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 068/101] hwmon: (amc6821) sign extension temperature Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 069/101] hwmon: (ds620) Fix overflows seen when writing temperature limits Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 070/101] hwmon: (nct7802) Fix overflows seen when writing into limit attributes Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 071/101] hwmon: (g762) Fix overflows and crash seen when writing " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 072/101] clk: clk-wm831x: fix a logic error Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 074/101] iommu/amd: Missing error code in amd_iommu_init_device() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 075/101] iommu/amd: Fix the left value check of cmd buffer Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 076/101] iommu/vt-d: Fix pasid table size encoding Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 077/101] iommu/vt-d: Flush old iommu caches for kdump when the device gets context mapped Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 078/101] ASoC: samsung: i2s: Fixup last IRQ unsafe spin lock call Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 079/101] scsi: mvsas: fix command_active typo Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 080/101] target/iscsi: Fix double free in lio_target_tiqn_addtpg() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 081/101] irqchip/bcm7038-l1: Implement irq_cpu_offline() callback Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 082/101] PM / wakeirq: Fix dedicated wakeirq for drivers not using autosuspend Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 083/101] mmc: mmc_test: Uninitialized return value Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 084/101] s390/crypto: unlock on error in prng_tdes_read() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 085/101] crypto: arm64/sha2-ce - fix for big endian Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 086/101] crypto: arm64/ghash-ce " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 087/101] crypto: arm/aes-ce " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 088/101] crypto: arm64/aes-ccm-ce: " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 089/101] crypto: arm64/aes-neon - " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 090/101] crypto: arm64/sha1-ce " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 091/101] crypto: arm64/aes-xts-ce: " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 092/101] crypto: arm64/aes-ce - " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 093/101] md: MD_RECOVERY_NEEDED is set for mddev->recovery Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 094/101] powerpc/pci/rpadlpar: Fix device reference leaks Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 095/101] staging: comedi: dt282x: tidy up register bit defines Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 096/101] cred/userns: define current_user_ns() as a function Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 097/101] net: ti: cpmac: Fix compiler warning due to type confusion Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 098/101] net: vxge: avoid unused function warnings Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 099/101] [media] cx23885-dvb: move initialization of a8293_pdata Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 101/101] tick/broadcast: Prevent NULL pointer dereference Greg Kroah-Hartman
2017-01-10 17:34 ` [PATCH 4.4 000/101] 4.4.42-stable review Shuah Khan
2017-01-10 22:26 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170110131523.017359630@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=felipe.balbi@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.