From: Greg KH <gregkh@linuxfoundation.org>
To: jackysliu <1972843537@qq.com>
Cc: viro@zeniv.linux.org.uk, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] usb: gadget: functioni: Fix a oob problem in rndis
Date: Thu, 10 Jul 2025 10:21:46 +0200 [thread overview]
Message-ID: <2025071026-fanciness-size-1d5d@gregkh> (raw)
In-Reply-To: <tencent_8E3F0D0AD7E5F6DC1F3009EA1DB7391A8505@qq.com>
On Thu, Jul 10, 2025 at 04:14:18PM +0800, jackysliu wrote:
> A critical out-of-bounds memory access vulnerability exists in the RNDIS
> (Remote Network Driver Interface Specification) implementation.
It's not really "critical" as the specification never claims to be
secure at all, and we have said for years that you should never run this
on system that you do not fully trust (host and client.)
> The vulnerability stems from insufficient boundary validation when
> processing SET requests with user-controlled InformationBufferOffset
> and InformationBufferLength parameters.
>
> The vulnerability can be fixed by adding addtional boundary checks
>
> Signed-off-by: jackysliu <1972843537@qq.com>
Please use a full name, not just a one word alias.
And what commit id does this fix?
> ---
> drivers/usb/gadget/function/rndis.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c
> index afd75d72412c..cc522fb4c06c 100644
> --- a/drivers/usb/gadget/function/rndis.c
> +++ b/drivers/usb/gadget/function/rndis.c
> @@ -641,7 +641,8 @@ static int rndis_set_response(struct rndis_params *params,
> BufOffset = le32_to_cpu(buf->InformationBufferOffset);
> if ((BufLength > RNDIS_MAX_TOTAL_SIZE) ||
> (BufOffset > RNDIS_MAX_TOTAL_SIZE) ||
> - (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE))
> + (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE) ||
> + (BufOffset + BufLength+8 > RNDIS_MAX_TOTAL_SIZE))
> return -EINVAL;
>
> r = rndis_add_response(params, sizeof(rndis_set_cmplt_type));
> --
> 2.43.5
>
As I asked before, please run scripts/checkpatch.pl on your patch and
fix the issue it found. Can you do all of this and send a v2 patch?
thanks,
greg k-h
next prev parent reply other threads:[~2025-07-10 8:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-10 8:14 [PATCH] usb: gadget: functioni: Fix a oob problem in rndis jackysliu
2025-07-10 8:21 ` Greg KH [this message]
2025-07-10 8:49 ` [PATCH v2] " jackysliu
2025-07-10 9:16 ` Greg KH
2025-07-10 9:33 ` jackysliu
2025-07-10 9:34 ` Greg KH
2025-07-10 12:19 ` Greg KH
2025-07-11 3:46 ` jackysliu
2025-07-11 5:54 ` Greg KH
2025-07-11 6:40 ` jackysliu
2025-07-11 6:51 ` Greg KH
2025-07-15 8:20 ` jackysliu
2025-07-15 8:32 ` Greg KH
2025-07-15 8:47 ` jackysliu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025071026-fanciness-size-1d5d@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=1972843537@qq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).