From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from userp1040.oracle.com ([156.151.31.81]:25508 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S936082AbdJQOst (ORCPT ); Tue, 17 Oct 2017 10:48:49 -0400 Date: Tue, 17 Oct 2017 17:48:09 +0300 From: Dan Carpenter To: Ben Hutchings Cc: stern@rowland.harvard.edu, stable@vger.kernel.org, stable-commits@vger.kernel.org, Greg Kroah-Hartman Subject: Re: Patch "USB: devio: Don't corrupt user memory" has been added to the 4.4-stable tree Message-ID: <20171017144809.usfebdmffeegrrun@mwanda> References: <150754871438113@kroah.com> <1508250970.22379.65.camel@codethink.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1508250970.22379.65.camel@codethink.co.uk> Sender: stable-owner@vger.kernel.org List-ID: On Tue, Oct 17, 2017 at 03:36:10PM +0100, Ben Hutchings wrote: > On Mon, 2017-10-09 at 13:31 +0200, gregkh@linuxfoundation.org wrote: > [...] > > From: Dan Carpenter > > > > commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream. > > > > The user buffer has "uurb->buffer_length" bytes.��If the kernel has more > > information than that, we should truncate it instead of writing past > > the end of the user's buffer.��I added a WARN_ONCE() to help the user > > debug the issue. > [...] > > Users should not be able to provoke a WARN_ON at will, that's a DoS > (log spam, possible panic). > > And this truncated user buffer length is also used for allocation of > the kernel buffer. Are you totally sure that this can't result in a > kernel buffer overrun (or leak)? > > This fix seems worse than continuing to allow userspace to shoot itself > in the foot. > We don't want to add this because it breaks API and does actually lead to a leak. But it was a WARN_ONCE() not, a WARN_ON() so that part was ok. Probably it helped find the bug in my code. regards, dan carpenter