From: "Németh Márton" <nm127@freemail.hu>
To: Kees Cook <kees.cook@canonical.com>
Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman <gregkh@suse.de>,
Oliver Neukum <oliver@neukum.org>, Joe Perches <joe@perches.com>,
linux-usb@vger.kernel.org
Subject: Re: [PATCH] usb: don't trust report_size for buffer size
Date: Mon, 11 Oct 2010 20:54:04 +0200 [thread overview]
Message-ID: <4CB35D4C.9000406@freemail.hu> (raw)
In-Reply-To: <20101011182816.GA15451@outflux.net>
Kees Cook wrote:
> If the iowarrior devices in this case statement support more than 8 bytes
> per report, it is possible to write past the end of a kernel heap allocation.
> This will probably never be possible, but change the allocation to be more
> defensive anyway.
I think this might be triggered from user space, indeed. The iowarrior_class.fops->write
points directly to the function iowarrior_write(). The iowarrior_class itself
is passed to the function usb_register_dev(), which means that the write() system
call to the character device will result in calling the iowarrior_write() function.
> Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Márton Németh <nm127@freemail.hu>
There might be similar problem also in the case USB_DEVICE_ID_CODEMERCS_IOW56. There
is buf is allocated with usb_alloc_coherent() to the size dev->report_size. However,
some lines later the copy_from_user() function tries to copy "count" number of
bytes to the dev->report_size allocated buffer. Unfortunately I don't have such
devices to try the driver so these are just coming from "static analysis".
> ---
> drivers/usb/misc/iowarrior.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
> index bc88c79..8ed8d05 100644
> --- a/drivers/usb/misc/iowarrior.c
> +++ b/drivers/usb/misc/iowarrior.c
> @@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
> case USB_DEVICE_ID_CODEMERCS_IOWPV2:
> case USB_DEVICE_ID_CODEMERCS_IOW40:
> /* IOW24 and IOW40 use a synchronous call */
> - buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
> + buf = kmalloc(count, GFP_KERNEL);
> if (!buf) {
> retval = -ENOMEM;
> goto exit;
next prev parent reply other threads:[~2010-10-11 18:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-11 18:28 [PATCH] usb: don't trust report_size for buffer size Kees Cook
2010-10-11 18:54 ` Németh Márton [this message]
2010-10-11 19:11 ` Kees Cook
2010-10-11 19:34 ` Németh Márton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CB35D4C.9000406@freemail.hu \
--to=nm127@freemail.hu \
--cc=gregkh@suse.de \
--cc=joe@perches.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=oliver@neukum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox