lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Aug 2020 00:16:59 +0800 From: <yanfei.xu@...driver.com> To: <gregkh@...uxfoundation.org> CC: <linux-usb@...r.kernel.org>, <linux-kernel@...r.kernel.org> Subject: [PATCH] USB: core: limit access to rawdescriptors which were not allocated From: Yanfei Xu <yanfei.xu@...driver.com> When using systemcall to read the rawdescriptors, make sure we won't access to the rawdescriptors never allocated, which are number exceed the USB_MAXCONFIG. Reported-by: syzbot+256e56ddde8b8957eabd@...kaller.appspotmail.com Signed-off-by: Yanfei Xu <yanfei.xu@...driver.com> --- drivers/usb/core/sysfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c index a2ca38e25e0c..1a7a625e5f55 100644 --- a/drivers/usb/core/sysfs.c +++ b/drivers/usb/core/sysfs.c @@ -895,7 +895,8 @@ read_descriptors(struct file *filp, struct kobject *kobj, * configurations (config plus subsidiary descriptors). */ for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations && - nleft > 0; ++cfgno) { + nleft > 0 && + cfgno < USB_MAXCONFIG; ++cfgno) { if (cfgno < 0) { src = &udev->descriptor; srclen = sizeof(struct usb_device_descriptor); -- 2.18.2
Powered by blists - more mailing lists