| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191018151955.25135-1-johan@kernel.org>
Date: Fri, 18 Oct 2019 17:19:53 +0200
From: Johan Hovold <johan@...nel.org>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Alan Stern <stern@...land.harvard.edu>,
Oliver Neukum <oneukum@...e.com>,
"Paul E . McKenney" <paulmck@...ux.vnet.ibm.com>,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
Johan Hovold <johan@...nel.org>
Subject: [PATCH v2 0/2] USB: ldusb: fix ring-buffer bugs
Syzbot has been reporting a slab-out-of-bounds/bad user copy in ldusb
for some time now.
This turned out to due to a bug in the read() implementation, which
would have read() access the uninitialised ring buffer and leak huge
amounts of slab data on URB completion errors (e.g. disconnect).
The first patch plugs the info leaks.
The second patch fixes a couple of issues in the custom ring-buffer
implementation, which before the first patch also could have led to
info leaks.
In an attempt to avoid copying the ring-buffer entry to a temporary
buffer while holding the spinlock, I added an smp_rmb() before
copy_to_user() which I think will suffice, but I'd appreciate if you
could help me verify that. Hence the RFC on that one.
The first commit could go to Linus meanwhile.
Johan
v2
- fix buffer-entry length check in 1/2
Johan Hovold (2):
USB: ldusb: fix read info leaks
USB: ldusb: fix ring-buffer locking
drivers/usb/misc/ldusb.c | 31 ++++++++++++++++++++++---------
1 file changed, 22 insertions(+), 9 deletions(-)
--
2.23.0
Powered by blists - more mailing lists