From: Sergey Shtylyov <s.shtylyov@omp.ru>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Felipe Balbi <balbi@kernel.org>, <linux-usb@vger.kernel.org>
Subject: Re: [PATCH] usb: gadget: function: rndis: limit # of RNDIS instances to 1000
Date: Fri, 26 Aug 2022 00:09:11 +0300 [thread overview]
Message-ID: <6d2d6ae1-4a23-01b2-b505-e3031c2c7caf@omp.ru> (raw)
In-Reply-To: <YwW8+hcJ9idgSbwl@kroah.com>
Hello!
On 8/24/22 8:54 AM, Greg Kroah-Hartman wrote:
>> As follows from #define NAME_TEMPLATE, the procfs code in the RNDIS driver
>> expects the # of instances to be 3-digit decimal, while the driver calls
>> ida_simple_get() passing 0 as the 'end' argument which results in actual
>> max instance # of INT_MAX. Limit the maximum # of RNDIS instances to 1000
>> which is still a lot! :-)
>>
>> Found by Linux Verification Center (linuxtesting.org) with the SVACE static
>> analysis tool.
>>
>> Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
>>
>> ---
>> This patch is against the 'next' branch of Felipe Balbi's 'usb.git' repo...
>>
>> drivers/usb/gadget/function/rndis.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> Index: usb/drivers/usb/gadget/function/rndis.c
>> ===================================================================
>> --- usb.orig/drivers/usb/gadget/function/rndis.c
>> +++ usb/drivers/usb/gadget/function/rndis.c
>> @@ -865,7 +865,7 @@ EXPORT_SYMBOL_GPL(rndis_msg_parser);
>>
>> static inline int rndis_get_nr(void)
>> {
>> - return ida_simple_get(&rndis_ida, 0, 0, GFP_KERNEL);
>> + return ida_simple_get(&rndis_ida, 0, 1000, GFP_KERNEL);
>
> Why not just change the procfs code instead?
You mean changing #define NAME_TEMPLATE from "driver/rndis-%03d" to
"driver/rndis-%010d" and then changing the size of the name[] buffers to
24 bytes?
> It's not like anyone should ever be using this driver anyway.
> We should delete it soon, it's
> totally broken and insecure as noted in the past :(
Oh, I wasn't aware of that... I just got the SVACE reports tossed
at me by the ISP people...
> thanks,
>
> greg k-h
MBR, Sergey
prev parent reply other threads:[~2022-08-25 21:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-23 20:53 [PATCH] usb: gadget: function: rndis: limit # of RNDIS instances to 1000 Sergey Shtylyov
2022-08-24 5:54 ` Greg Kroah-Hartman
2022-08-25 21:09 ` Sergey Shtylyov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6d2d6ae1-4a23-01b2-b505-e3031c2c7caf@omp.ru \
--to=s.shtylyov@omp.ru \
--cc=balbi@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox