From: "Németh Márton" <nm127@freemail.hu>
To: Kees Cook <kees.cook@canonical.com>
Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman <gregkh@suse.de>,
Oliver Neukum <oliver@neukum.org>, Joe Perches <joe@perches.com>,
linux-usb@vger.kernel.org
Subject: Re: [PATCH] usb: don't trust report_size for buffer size
Date: Mon, 11 Oct 2010 20:54:04 +0200 [thread overview]
Message-ID: <4CB35D4C.9000406@freemail.hu> (raw)
In-Reply-To: <20101011182816.GA15451@outflux.net>
Kees Cook wrote:
> If the iowarrior devices in this case statement support more than 8 bytes
> per report, it is possible to write past the end of a kernel heap allocation.
> This will probably never be possible, but change the allocation to be more
> defensive anyway.
I think this might be triggered from user space, indeed. The iowarrior_class.fops->write
points directly to the function iowarrior_write(). The iowarrior_class itself
is passed to the function usb_register_dev(), which means that the write() system
call to the character device will result in calling the iowarrior_write() function.
> Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Márton Németh <nm127@freemail.hu>
There might be similar problem also in the case USB_DEVICE_ID_CODEMERCS_IOW56. There
is buf is allocated with usb_alloc_coherent() to the size dev->report_size. However,
some lines later the copy_from_user() function tries to copy "count" number of
bytes to the dev->report_size allocated buffer. Unfortunately I don't have such
devices to try the driver so these are just coming from "static analysis".
> ---
> drivers/usb/misc/iowarrior.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
> index bc88c79..8ed8d05 100644
> --- a/drivers/usb/misc/iowarrior.c
> +++ b/drivers/usb/misc/iowarrior.c
> @@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
> case USB_DEVICE_ID_CODEMERCS_IOWPV2:
> case USB_DEVICE_ID_CODEMERCS_IOW40:
> /* IOW24 and IOW40 use a synchronous call */
> - buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
> + buf = kmalloc(count, GFP_KERNEL);
> if (!buf) {
> retval = -ENOMEM;
> goto exit;
next prev parent reply other threads:[~2010-10-11 18:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-11 18:28 [PATCH] usb: don't trust report_size for buffer size Kees Cook
2010-10-11 18:54 ` Németh Márton [this message]
2010-10-11 19:11 ` Kees Cook
2010-10-11 19:34 ` Németh Márton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CB35D4C.9000406@freemail.hu \
--to=nm127@freemail.hu \
--cc=gregkh@suse.de \
--cc=joe@perches.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=oliver@neukum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.