From: Dan Carpenter <dan.carpenter@oracle.com>
To: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: stern@rowland.harvard.edu, stable@vger.kernel.org,
stable-commits@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: Patch "USB: devio: Don't corrupt user memory" has been added to the 4.4-stable tree
Date: Tue, 17 Oct 2017 17:48:09 +0300 [thread overview]
Message-ID: <20171017144809.usfebdmffeegrrun@mwanda> (raw)
In-Reply-To: <1508250970.22379.65.camel@codethink.co.uk>
On Tue, Oct 17, 2017 at 03:36:10PM +0100, Ben Hutchings wrote:
> On Mon, 2017-10-09 at 13:31 +0200, gregkh@linuxfoundation.org wrote:
> [...]
> > From: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream.
> >
> > The user buffer has "uurb->buffer_length" bytes.��If the kernel has more
> > information than that, we should truncate it instead of writing past
> > the end of the user's buffer.��I added a WARN_ONCE() to help the user
> > debug the issue.
> [...]
>
> Users should not be able to provoke a WARN_ON at will, that's a DoS
> (log spam, possible panic).
>
> And this truncated user buffer length is also used for allocation of
> the kernel buffer. Are you totally sure that this can't result in a
> kernel buffer overrun (or leak)?
>
> This fix seems worse than continuing to allow userspace to shoot itself
> in the foot.
>
We don't want to add this because it breaks API and does actually lead
to a leak. But it was a WARN_ONCE() not, a WARN_ON() so that part was
ok. Probably it helped find the bug in my code.
regards,
dan carpenter
next prev parent reply other threads:[~2017-10-17 14:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-09 11:31 Patch "USB: devio: Don't corrupt user memory" has been added to the 4.4-stable tree gregkh
2017-10-17 14:36 ` Ben Hutchings
2017-10-17 14:48 ` Dan Carpenter [this message]
2017-10-17 14:58 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171017144809.usfebdmffeegrrun@mwanda \
--to=dan.carpenter@oracle.com \
--cc=ben.hutchings@codethink.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.