From: Nathan Chancellor <natechancellor@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Andrey Konovalov <andreyknvl@google.com>,
Arnd Bergmann <arnd@arndb.de>
Subject: Re: [PATCH 4.9 25/30] USB: core: only clean up what we allocated
Date: Sat, 30 Mar 2019 10:18:38 -0700 [thread overview]
Message-ID: <20190330171838.GA2150@archlinux-ryzen> (raw)
In-Reply-To: <20190326042608.413616958@linuxfoundation.org>
On Tue, Mar 26, 2019 at 03:30:04PM +0900, Greg Kroah-Hartman wrote:
> 4.9-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Andrey Konovalov <andreyknvl@google.com>
>
> commit 32fd87b3bbf5f7a045546401dfe2894dbbf4d8c3 upstream.
>
> When cleaning up the configurations, make sure we only free the number
> of configurations and interfaces that we could have allocated.
>
> Reported-by: Andrey Konovalov <andreyknvl@google.com>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> ---
> drivers/usb/core/config.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -763,18 +763,21 @@ void usb_destroy_configuration(struct us
> return;
>
> if (dev->rawdescriptors) {
> - for (i = 0; i < dev->descriptor.bNumConfigurations; i++)
> + for (i = 0; i < dev->descriptor.bNumConfigurations &&
> + i < USB_MAXCONFIG; i++)
> kfree(dev->rawdescriptors[i]);
>
> kfree(dev->rawdescriptors);
> dev->rawdescriptors = NULL;
> }
>
> - for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
> + for (c = 0; c < dev->descriptor.bNumConfigurations &&
> + c < USB_MAXCONFIG; c++) {
> struct usb_host_config *cf = &dev->config[c];
>
> kfree(cf->string);
> - for (i = 0; i < cf->desc.bNumInterfaces; i++) {
> + for (i = 0; i < cf->desc.bNumInterfaces &&
> + i < USB_MAXINTERFACES; i++) {
> if (cf->intf_cache[i])
> kref_put(&cf->intf_cache[i]->ref,
> usb_release_interface_cache);
>
>
You reverted this upstream in commit cf4df407e0d7 ("Revert "USB: core:
only clean up what we allocated"") in favor of commit 48a4ff1c7bb5
("USB: core: prevent malicious bNumInterfaces overflow"), which has been
in this tree since 4.9.71.
Sorry for not catching this earlier,
Nathan
next prev parent reply other threads:[~2019-03-30 17:18 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-26 6:29 [PATCH 4.9 00/30] 4.9.166-stable review Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 01/30] mmc: pxamci: fix enum type confusion Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 02/30] drm/vmwgfx: Dont double-free the mode stored in par->set_mode Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 03/30] iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 04/30] libceph: wait for latest osdmap in ceph_monc_blacklist_add() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 05/30] udf: Fix crash on IO error during truncate Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 06/30] mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 07/30] MIPS: Ensure ELF appended dtb is relocated Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 08/30] MIPS: Fix kernel crash for R6 in jump label branch function Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 09/30] futex: Ensure that futex address is aligned in handle_futex_death() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 10/30] objtool: Move objtool_file struct off the stack Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 11/30] ext4: fix NULL pointer dereference while journal is aborted Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 12/30] ext4: fix data corruption caused by unaligned direct AIO Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 13/30] ext4: brelse all indirect buffer in ext4_ind_remove_space() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 14/30] media: v4l2-ctrls.c/uvc: zero v4l2_event Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 15/30] Bluetooth: Fix decrementing reference count twice in releasing socket Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 16/30] locking/lockdep: Add debug_locks check in __lock_downgrade() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 17/30] ALSA: hda - Record the current power state before suspend/resume calls Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 18/30] ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 19/30] tcp/dccp: drop SYN packets if accept queue is full Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 20/30] serial: sprd: adjust TIMEOUT to a big value Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 21/30] Hang/soft lockup in d_invalidate with simultaneous calls Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 22/30] arm64: traps: disable irq in die() Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 23/30] serial: sprd: clear timeout interrupt only rather than all interrupts Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 24/30] lib/int_sqrt: optimize small argument Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 25/30] USB: core: only clean up what we allocated Greg Kroah-Hartman
2019-03-30 17:18 ` Nathan Chancellor [this message]
2019-04-01 11:46 ` Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 26/30] scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 27/30] rtc: Fix overflow when converting time64_t to rtc_time Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 28/30] pwm-backlight: Enable/disable the PWM before/after LCD enable toggle Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 29/30] power: supply: charger-manager: Fix incorrect return value Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 30/30] ath10k: avoid possible string overflow Greg Kroah-Hartman
2019-03-26 11:41 ` [PATCH 4.9 00/30] 4.9.166-stable review Naresh Kamboju
2019-03-26 12:03 ` kernelci.org bot
2019-03-26 15:18 ` Jon Hunter
2019-03-26 17:48 ` Guenter Roeck
2019-03-26 23:16 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190330171838.GA2150@archlinux-ryzen \
--to=natechancellor@gmail.com \
--cc=andreyknvl@google.com \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).