* [PATCH 1/1] usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()
@ 2024-07-05 7:43 Lee Jones
0 siblings, 0 replies; only message in thread
From: Lee Jones @ 2024-07-05 7:43 UTC (permalink / raw)
To: lee, gregkh; +Cc: linux-kernel, linux-usb
Userspace provided string 's' could trivially have the length zero. Left
unchecked this will firstly result in an OOB read in the form
`if (str[0 - 1] == '\n') followed closely by an OOB write in the form
`str[0 - 1] = '\0'`.
There is already a validating check to catch strings that are too long.
Let's supply an additional check for invalid strings that are too short.
Signed-off-by: Lee Jones <lee@kernel.org>
---
drivers/usb/gadget/configfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index ce3cfa1f36f51..0e7c1e947c0a0 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -115,9 +115,12 @@ static int usb_string_copy(const char *s, char **s_copy)
int ret;
char *str;
char *copy = *s_copy;
+
ret = strlen(s);
if (ret > USB_MAX_STRING_LEN)
return -EOVERFLOW;
+ if (ret < 1)
+ return -EINVAL;
if (copy) {
str = copy;
--
2.45.2.803.g4e1b14247a-goog
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2024-07-05 7:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-05 7:43 [PATCH 1/1] usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() Lee Jones
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox