From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
Andrey Konovalov <andreyknvl@google.com>,
Felipe Balbi <felipe.balbi@linux.intel.com>
Subject: [PATCH 4.4 012/101] USB: gadgetfs: fix unbounded memory allocation bug
Date: Tue, 10 Jan 2017 14:36:25 +0100 [thread overview]
Message-ID: <20170110131523.017359630@linuxfoundation.org> (raw)
In-Reply-To: <20170110131522.493717794@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream.
Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN warning in gadgetfs:
BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
Write of size 65537 by task syz-executor0/6356
CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
[< inline >] print_address_description mm/kasan/report.c:197
[<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
[<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
[< inline >] check_memory_region_inline mm/kasan/kasan.c:308
[<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
[<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
[< inline >] copy_from_user arch/x86/include/asm/uaccess.h:689
[< inline >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
[<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
[<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
[<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
[< inline >] SYSC_write fs/read_write.c:607
[<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
[<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.
This patch fixes the warning. It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/legacy/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1125,7 +1125,7 @@ ep0_write (struct file *fd, const char _
/* data and/or status stage for control request */
} else if (dev->state == STATE_DEV_SETUP) {
- /* IN DATA+STATUS caller makes len <= wLength */
+ len = min_t(size_t, len, dev->setup_wLength);
if (dev->setup_in) {
retval = setup_req (dev->gadget->ep0, dev->req, len);
if (retval == 0) {
next prev parent reply other threads:[~2017-01-10 13:38 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170110134113epcas3p4f03897bb91bfb9896af546cda8d12e7e@epcas3p4.samsung.com>
2017-01-10 13:36 ` [PATCH 4.4 000/101] 4.4.42-stable review Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 001/101] ALSA: hda - Fix up GPIO for ASUS ROG Ranger Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 002/101] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 003/101] ALSA: usb-audio: Fix irq/process data synchronization Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 004/101] ARM: davinci: da850: dont add emac clock to lookup table twice Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 005/101] mac80211: initialize fast-xmit info later Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 006/101] KVM: x86: reset MMU on KVM_SET_VCPU_EVENTS Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 008/101] usb: musb: core: add clear_ep_rxintr() to musb_platform_ops Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 009/101] usb: musb: dsps: implement clear_ep_rxintr() callback Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 010/101] usb: storage: unusual_uas: Add JMicron JMS56x to unusual device Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 011/101] usb: gadgetfs: restrict upper bound on device configuration size Greg Kroah-Hartman
2017-01-10 13:36 ` Greg Kroah-Hartman [this message]
2017-01-10 13:36 ` [PATCH 4.4 013/101] USB: gadgetfs: fix use-after-free bug Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 014/101] USB: gadgetfs: fix checks of wTotalLength in config descriptors Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 015/101] USB: fix problems with duplicate endpoint addresses Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 016/101] USB: dummy-hcd: fix bug in stop_activity (handle ep0) Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 017/101] usb: gadget: composite: Test get_alt() presence instead of set_alt() Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 018/101] usb: dwc3: core: avoid Overflow events Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 019/101] usb: xhci: fix possible wild pointer Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 020/101] xhci: workaround for hosts missing CAS bit Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 021/101] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 022/101] xhci: free xhci virtual devices with leaf nodes first Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 023/101] usb: xhci: fix return value of xhci_setup_device() Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 024/101] usb: host: xhci: Fix possible wild pointer when handling abort command Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 025/101] xhci: Handle command completion and timeout race Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 026/101] usb: xhci: hold lock over xhci_abort_cmd_ring() Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 027/101] USB: serial: omninet: fix NULL-derefs at open and disconnect Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 028/101] USB: serial: quatech2: fix sleep-while-atomic in close Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 029/101] USB: serial: pl2303: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 030/101] USB: serial: keyspan_pda: verify endpoints at probe Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 031/101] USB: serial: spcp8x5: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 032/101] USB: serial: io_ti: " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 033/101] USB: serial: io_ti: fix another " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 034/101] USB: serial: io_ti: fix I/O after disconnect Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 035/101] USB: serial: iuu_phoenix: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 036/101] USB: serial: garmin_gps: fix memory leak on failed URB submit Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 037/101] USB: serial: ti_usb_3410_5052: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 038/101] USB: serial: io_edgeport: " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 039/101] USB: serial: oti6858: " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 040/101] USB: serial: cyberjack: " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 041/101] USB: serial: kobil_sct: fix NULL-deref in write Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 042/101] USB: serial: mos7840: fix NULL-deref at open Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 043/101] USB: serial: mos7720: " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 044/101] USB: serial: mos7720: fix use-after-free on probe errors Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 045/101] USB: serial: mos7720: fix parport " Greg Kroah-Hartman
2017-01-10 13:36 ` [PATCH 4.4 046/101] USB: serial: mos7720: fix parallel probe Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 047/101] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 048/101] xhci: Use delayed_work instead of timer for command timeout Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 049/101] xhci: Fix race related to abort operation Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 050/101] usb: dwc3: pci: add Intel Gemini Lake PCI ID Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 051/101] usb: musb: Fix trying to free already-free IRQ 4 Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 054/101] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 055/101] USB: serial: kl5kusb105: abort on open exception path Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 056/101] ARM: dts: r8a7794: Correct hsusb parent clock Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 057/101] USB: phy: am335x-control: fix device and of_node leaks Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 058/101] USB: serial: io_ti: bind to interface after fw download Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 059/101] mei: bus: fix mei_cldev_enable KDoc Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 060/101] staging: iio: ad7606: fix improper setting of oversampling pins Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 061/101] usb: dwc3: gadget: always unmap EP0 requests Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 062/101] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 063/101] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 064/101] stable-fixup: hotplug: fix unused function warning Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 065/101] ath10k: use the right length of "background" Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 066/101] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 067/101] hwmon: (scpi) Fix module autoload Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 068/101] hwmon: (amc6821) sign extension temperature Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 069/101] hwmon: (ds620) Fix overflows seen when writing temperature limits Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 070/101] hwmon: (nct7802) Fix overflows seen when writing into limit attributes Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 071/101] hwmon: (g762) Fix overflows and crash seen when writing " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 072/101] clk: clk-wm831x: fix a logic error Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 074/101] iommu/amd: Missing error code in amd_iommu_init_device() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 075/101] iommu/amd: Fix the left value check of cmd buffer Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 076/101] iommu/vt-d: Fix pasid table size encoding Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 077/101] iommu/vt-d: Flush old iommu caches for kdump when the device gets context mapped Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 078/101] ASoC: samsung: i2s: Fixup last IRQ unsafe spin lock call Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 079/101] scsi: mvsas: fix command_active typo Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 080/101] target/iscsi: Fix double free in lio_target_tiqn_addtpg() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 081/101] irqchip/bcm7038-l1: Implement irq_cpu_offline() callback Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 082/101] PM / wakeirq: Fix dedicated wakeirq for drivers not using autosuspend Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 083/101] mmc: mmc_test: Uninitialized return value Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 084/101] s390/crypto: unlock on error in prng_tdes_read() Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 085/101] crypto: arm64/sha2-ce - fix for big endian Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 086/101] crypto: arm64/ghash-ce " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 087/101] crypto: arm/aes-ce " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 088/101] crypto: arm64/aes-ccm-ce: " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 089/101] crypto: arm64/aes-neon - " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 090/101] crypto: arm64/sha1-ce " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 091/101] crypto: arm64/aes-xts-ce: " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 092/101] crypto: arm64/aes-ce - " Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 093/101] md: MD_RECOVERY_NEEDED is set for mddev->recovery Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 094/101] powerpc/pci/rpadlpar: Fix device reference leaks Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 095/101] staging: comedi: dt282x: tidy up register bit defines Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 096/101] cred/userns: define current_user_ns() as a function Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 097/101] net: ti: cpmac: Fix compiler warning due to type confusion Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 098/101] net: vxge: avoid unused function warnings Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 099/101] [media] cx23885-dvb: move initialization of a8293_pdata Greg Kroah-Hartman
2017-01-10 13:37 ` [PATCH 4.4 101/101] tick/broadcast: Prevent NULL pointer dereference Greg Kroah-Hartman
2017-01-10 17:34 ` [PATCH 4.4 000/101] 4.4.42-stable review Shuah Khan
2017-01-10 22:26 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170110131523.017359630@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=felipe.balbi@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).