[PATCH] usb: gadget: configfs: Fix OOB read on empty string write

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] usb: gadget: configfs: Fix OOB read on empty string write
@ 2025-07-09  3:55 Xinyu Liu
  2025-07-09  8:48 ` Sergey Shtylyov
  0 siblings, 1 reply; 4+ messages in thread
From: Xinyu Liu @ 2025-07-09  3:55 UTC (permalink / raw)
  To: gregkh; +Cc: linux-usb, linux-kernel, katieeliu, security, Xinyu Liu

When writing an empty string to either 'qw_sign' or 'landingPage'
sysfs attributes, the store functions attempt to access page[l - 1]
before validating that the length 'l' is greater than zero.

This patch fixes the vulnerability by adding a check at the beginning
of os_desc_qw_sign_store() and webusb_landingPage_store() to handle
the zero-length input case gracefully by returning immediately.

Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
---
 drivers/usb/gadget/configfs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index fba2a56dae97..1bb32d6be9b3 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -1064,7 +1064,8 @@ static ssize_t webusb_landingPage_store(struct config_item *item, const char *pa
 	struct gadget_info *gi = webusb_item_to_gadget_info(item);
 	unsigned int bytes_to_strip = 0;
 	int l = len;
-
+	if (!len)
+		return len;
 	if (page[l - 1] == '\n') {
 		--l;
 		++bytes_to_strip;
@@ -1187,7 +1188,8 @@ static ssize_t os_desc_qw_sign_store(struct config_item *item, const char *page,
 {
 	struct gadget_info *gi = os_desc_item_to_gadget_info(item);
 	int res, l;
-
+	if (!len)
+		return len;
 	l = min_t(int, len, OS_STRING_QW_SIGN_LEN >> 1);
 	if (page[l - 1] == '\n')
 		--l;
-- 
2.39.5 (Apple Git-154)


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: gadget: configfs: Fix OOB read on empty string write
  2025-07-09  3:55 [PATCH] usb: gadget: configfs: Fix OOB read on empty string write Xinyu Liu
@ 2025-07-09  8:48 ` Sergey Shtylyov
  2025-07-09 10:22   ` Xinyu Liu
  0 siblings, 1 reply; 4+ messages in thread
From: Sergey Shtylyov @ 2025-07-09  8:48 UTC (permalink / raw)
  To: Xinyu Liu, gregkh; +Cc: linux-usb, linux-kernel, katieeliu, security

On 7/9/25 6:55 AM, Xinyu Liu wrote:

> When writing an empty string to either 'qw_sign' or 'landingPage'
> sysfs attributes, the store functions attempt to access page[l - 1]
> before validating that the length 'l' is greater than zero.
> 
> This patch fixes the vulnerability by adding a check at the beginning
> of os_desc_qw_sign_store() and webusb_landingPage_store() to handle
> the zero-length input case gracefully by returning immediately.
> 
> Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
> ---
>  drivers/usb/gadget/configfs.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
> index fba2a56dae97..1bb32d6be9b3 100644
> --- a/drivers/usb/gadget/configfs.c
> +++ b/drivers/usb/gadget/configfs.c
> @@ -1064,7 +1064,8 @@ static ssize_t webusb_landingPage_store(struct config_item *item, const char *pa
>  	struct gadget_info *gi = webusb_item_to_gadget_info(item);
>  	unsigned int bytes_to_strip = 0;
>  	int l = len;
> -

   Why are you removing empty line here?

> +	if (!len)
> +		return len;
>  	if (page[l - 1] == '\n') {
>  		--l;
>  		++bytes_to_strip;
> @@ -1187,7 +1188,8 @@ static ssize_t os_desc_qw_sign_store(struct config_item *item, const char *page,
>  {
>  	struct gadget_info *gi = os_desc_item_to_gadget_info(item);
>  	int res, l;
> -

   And here?

> +	if (!len)
> +		return len;
>  	l = min_t(int, len, OS_STRING_QW_SIGN_LEN >> 1);
>  	if (page[l - 1] == '\n')
>  		--l;

MBR, Sergey


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: gadget: configfs: Fix OOB read on empty string write
  2025-07-09  8:48 ` Sergey Shtylyov
@ 2025-07-09 10:22   ` Xinyu Liu
  2025-07-09 19:02     ` Sergey Shtylyov
  0 siblings, 1 reply; 4+ messages in thread
From: Xinyu Liu @ 2025-07-09 10:22 UTC (permalink / raw)
  To: Sergey Shtylyov, gregkh; +Cc: linux-usb, linux-kernel, katieeliu, security

Hi Sergey,

Thanks for your review.

You are right, removing the blank line is inappropriate. I’ve 
double-checked the original code and confirmed there are no invisible 
spaces or tabs, yet checkpatch.pl still reports "ERROR: trailing 
whitespace" on these lines. I removed the empty line here, and it 
resolved the error.

Thanks for pointing this out!

Best regards,
Xinyu Liu

在 2025/7/9 16:48, Sergey Shtylyov 写道:
> On 7/9/25 6:55 AM, Xinyu Liu wrote:
>
>> When writing an empty string to either 'qw_sign' or 'landingPage'
>> sysfs attributes, the store functions attempt to access page[l - 1]
>> before validating that the length 'l' is greater than zero.
>>
>> This patch fixes the vulnerability by adding a check at the beginning
>> of os_desc_qw_sign_store() and webusb_landingPage_store() to handle
>> the zero-length input case gracefully by returning immediately.
>>
>> Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
>> ---
>>   drivers/usb/gadget/configfs.c | 6 ++++--
>>   1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
>> index fba2a56dae97..1bb32d6be9b3 100644
>> --- a/drivers/usb/gadget/configfs.c
>> +++ b/drivers/usb/gadget/configfs.c
>> @@ -1064,7 +1064,8 @@ static ssize_t webusb_landingPage_store(struct config_item *item, const char *pa
>>   	struct gadget_info *gi = webusb_item_to_gadget_info(item);
>>   	unsigned int bytes_to_strip = 0;
>>   	int l = len;
>> -
>     Why are you removing empty line here?
>
>> +	if (!len)
>> +		return len;
>>   	if (page[l - 1] == '\n') {
>>   		--l;
>>   		++bytes_to_strip;
>> @@ -1187,7 +1188,8 @@ static ssize_t os_desc_qw_sign_store(struct config_item *item, const char *page,
>>   {
>>   	struct gadget_info *gi = os_desc_item_to_gadget_info(item);
>>   	int res, l;
>> -
>     And here?
>
>> +	if (!len)
>> +		return len;
>>   	l = min_t(int, len, OS_STRING_QW_SIGN_LEN >> 1);
>>   	if (page[l - 1] == '\n')
>>   		--l;
> MBR, Sergey


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: gadget: configfs: Fix OOB read on empty string write
  2025-07-09 10:22   ` Xinyu Liu
@ 2025-07-09 19:02     ` Sergey Shtylyov
  0 siblings, 0 replies; 4+ messages in thread
From: Sergey Shtylyov @ 2025-07-09 19:02 UTC (permalink / raw)
  To: Xinyu Liu, gregkh; +Cc: linux-usb, linux-kernel, katieeliu, security

On 7/9/25 1:22 PM, Xinyu Liu wrote:
[...]

> You are right, removing the blank line is inappropriate.

   Empty lines separating declarations from the other statements should be kept...

> I’ve double-checked the original code and confirmed there are no invisible spaces or tabs,

   I'm not seeing them as well in your patch...

> yet checkpatch.pl still reports "ERROR: trailing whitespace" on these lines. I removed the empty line here, and it resolved the error.

   Hm... something wrong with your setup, I guess...

> Thanks for pointing this out!

[...]
MBR, Sergey


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-07-09 19:02 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-09  3:55 [PATCH] usb: gadget: configfs: Fix OOB read on empty string write Xinyu Liu
2025-07-09  8:48 ` Sergey Shtylyov
2025-07-09 10:22   ` Xinyu Liu
2025-07-09 19:02     ` Sergey Shtylyov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).