| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20101011191119.GN4991@outflux.net>
Date: Mon, 11 Oct 2010 12:11:19 -0700
From: Kees Cook <kees.cook@...onical.com>
To: Németh Márton <nm127@...email.hu>
Cc: linux-kernel@...r.kernel.org, Greg Kroah-Hartman <gregkh@...e.de>,
Oliver Neukum <oliver@...kum.org>,
Joe Perches <joe@...ches.com>, linux-usb@...r.kernel.org
Subject: Re: [PATCH] usb: don't trust report_size for buffer size
Hi Németh,
On Mon, Oct 11, 2010 at 08:54:04PM +0200, Németh Márton wrote:
> There might be similar problem also in the case USB_DEVICE_ID_CODEMERCS_IOW56. There
> is buf is allocated with usb_alloc_coherent() to the size dev->report_size. However,
> some lines later the copy_from_user() function tries to copy "count" number of
> bytes to the dev->report_size allocated buffer. Unfortunately I don't have such
> devices to try the driver so these are just coming from "static analysis".
I don't think the USB_DEVICE_ID_CODEMERCS_IOW56 path is a problem:
if (count != dev->report_size) {
retval = -EINVAL;
goto exit;
}
switch (dev->product_id) {
...
case USB_DEVICE_ID_CODEMERCS_IOW56:
...
buf = usb_alloc_coherent(dev->udev, dev->report_size,
GFP_KERNEL, &int_out_urb->transfer_dma);
...
if (copy_from_user(buf, user_buffer, count)) {
i.e. count must == dev->report_size, and the buf is allocated with size
dev->report_size even though copy_from_user uses "count".
-Kees
--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists