From: Felipe Balbi <balbi@kernel.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Andrey Konovalov <andreyknvl@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Marek Szyprowski <m.szyprowski@samsung.com>,
David Sterba <dsterba@suse.com>,
Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>,
David Eccher <d.eccher@gmail.com>, Bin Liu <b-liu@ti.com>,
Mathieu Laurendeau <mat.lau@laposte.net>,
Binyamin Sharet <s.binyamin@gmail.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
linux-usb@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
Dmitry Vyukov <dvyukov@google.com>,
Kostya Serebryany <kcc@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: net/gadget: slab-out-of-bounds write in dev_config
Date: Wed, 28 Dec 2016 13:51:48 +0200 [thread overview]
Message-ID: <874m1o1dbf.fsf@linux.intel.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1612271007290.21478-100000@netrider.rowland.org>
[-- Attachment #1: Type: text/plain, Size: 2960 bytes --]
Hi,
Alan Stern <stern@rowland.harvard.edu> writes:
>> > Index: usb-4.x/drivers/usb/gadget/legacy/inode.c
>> > ===================================================================
>> > --- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c
>> > +++ usb-4.x/drivers/usb/gadget/legacy/inode.c
>> > @@ -1126,7 +1126,7 @@ ep0_write (struct file *fd, const char _
>> > /* data and/or status stage for control request */
>> > } else if (dev->state == STATE_DEV_SETUP) {
>> >
>> > - /* IN DATA+STATUS caller makes len <= wLength */
>> > + len = min(len, (size_t) dev->setup_wLength);
>> > if (dev->setup_in) {
>> > retval = setup_req (dev->gadget->ep0, dev->req, len);
>> > if (retval == 0) {
>> >
>>
>> I already have a patch from Greg for this. See [1]
>>
>> [1] https://git.kernel.org/cgit/linux/kernel/git/balbi/usb.git/commit/?id=230bc0cb8ff222d9f0fbbd93a80393140b39481f
>
> The two patches fix different problems. My patch goes on the pathway
> where dev->state > STATE_DEV_OPENED in dev_config(), and Greg's patch
> handles the case where it is <=.
Okay, here's what I have so far in my testing/fixes:
$ git --no-pager shortlog testing/fixes ^linus/master
Alan Stern (5):
USB: dummy-hcd: fix bug in stop_activity (handle ep0)
USB: gadgetfs: fix unbounded memory allocation bug
USB: gadgetfs: fix use-after-free bug
USB: gadgetfs: fix checks of wTotalLength in config descriptors
USB: gadgetfs: remove unnecessary assignment
Baolin Wang (1):
usb: gadget: f_fs: Fix possibe deadlock
Felipe Balbi (4):
usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb()
usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb()
usb: dwc3: gadget: always unmap EP0 requests
usb: dwc3: core: avoid Overflow events
Greg Kroah-Hartman (1):
usb: gadgetfs: restrict upper bound on device configuration size
Grygorii Strashko (1):
usb: dwc3: omap: fix race of pm runtime with irq handler in probe
Hans de Goede (1):
usb: dwc3: pci: Fix dr_mode misspelling
Heikki Krogerus (1):
usb: dwc3: pci: add Intel Gemini Lake PCI ID
Janusz Dziedzic (1):
usb: dwc3: skip interrupt when ep disabled
John Youn (1):
usb: dwc3: pci: Add "linux,sysdev_is_parent" property
Krzysztof Opasiak (1):
usb: gadget: composite: Test get_alt() presence instead of set_alt()
Marek Szyprowski (1):
usb: dwc2: fix flags for DMA descriptor allocation in dwc2_hsotg_ep_enable
Stefan Wahren (4):
usb: dwc2: Do not set host parameter in peripheral mode
usb: dwc2: fix dwc2_get_device_property for u8 and u16
usb: dwc2: fix default value for DMA support
usb: dwc2: gadget: fix default value for gadget-dma-desc
Vincent Pelletier (2):
usb: gadget: f_fs: Document eventfd effect on descriptor format.
usb: gadget: f_fs: Fix ExtCompat descriptor validation
--
balbi
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
prev parent reply other threads:[~2016-12-28 11:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-06 14:29 net/gadget: slab-out-of-bounds write in dev_config Andrey Konovalov
2016-12-06 15:30 ` Alan Stern
2016-12-06 20:23 ` Andrey Konovalov
2016-12-27 11:21 ` Felipe Balbi
2016-12-27 15:12 ` Alan Stern
2016-12-28 11:51 ` Felipe Balbi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874m1o1dbf.fsf@linux.intel.com \
--to=balbi@kernel.org \
--cc=andreyknvl@google.com \
--cc=b-liu@ti.com \
--cc=d.eccher@gmail.com \
--cc=dsterba@suse.com \
--cc=dvyukov@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=kcc@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=konishi.ryusuke@lab.ntt.co.jp \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=mat.lau@laposte.net \
--cc=s.binyamin@gmail.com \
--cc=stern@rowland.harvard.edu \
--cc=syzkaller@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.