| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191018141750.23756-1-johan@kernel.org>
Date: Fri, 18 Oct 2019 16:17:48 +0200
From: Johan Hovold <johan@...nel.org>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Alan Stern <stern@...land.harvard.edu>,
Oliver Neukum <oneukum@...e.com>,
"Paul E . McKenney" <paulmck@...ux.vnet.ibm.com>,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
Johan Hovold <johan@...nel.org>
Subject: [PATCH 0/2] USB: ldusb: fix ring-buffer bugs
Syzbot has been reporting a slab-out-of-bound/bad user copy in ldusb for
some time now.
This turned out to due to a bug in the read() implementation, which
would have read() access the uninitialised ring buffer and leak huge
amounts of slab data on URB completion errors (e.g. disconnect).
The first patch plugs the info leaks.
The second patch fixes a couple of issues in the custom ring-buffer
implementation, which before the first patch also could have led to
info leaks.
In an attempt to avoid copying the ring-buffer entry to a temporary
buffer while holding the spinlock, I added an smp_rmb() before
copy_to_user() which I think will suffice, but I'd appreciate if you
could help me verify that. Hence the RFC on that one.
The first commit could go to Linus meanwhile.
Johan
Johan Hovold (2):
USB: ldusb: fix read info leaks
USB: ldusb: fix ring-buffer locking
drivers/usb/misc/ldusb.c | 31 ++++++++++++++++++++++---------
1 file changed, 22 insertions(+), 9 deletions(-)
--
2.23.0
Powered by blists - more mailing lists