| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200825161659.19008-1-yanfei.xu@windriver.com>
Date: Wed, 26 Aug 2020 00:16:59 +0800
From: <yanfei.xu@...driver.com>
To: <gregkh@...uxfoundation.org>
CC: <linux-usb@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: [PATCH] USB: core: limit access to rawdescriptors which were not allocated
From: Yanfei Xu <yanfei.xu@...driver.com>
When using systemcall to read the rawdescriptors, make sure we won't
access to the rawdescriptors never allocated, which are number
exceed the USB_MAXCONFIG.
Reported-by: syzbot+256e56ddde8b8957eabd@...kaller.appspotmail.com
Signed-off-by: Yanfei Xu <yanfei.xu@...driver.com>
---
drivers/usb/core/sysfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
index a2ca38e25e0c..1a7a625e5f55 100644
--- a/drivers/usb/core/sysfs.c
+++ b/drivers/usb/core/sysfs.c
@@ -895,7 +895,8 @@ read_descriptors(struct file *filp, struct kobject *kobj,
* configurations (config plus subsidiary descriptors).
*/
for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations &&
- nleft > 0; ++cfgno) {
+ nleft > 0 &&
+ cfgno < USB_MAXCONFIG; ++cfgno) {
if (cfgno < 0) {
src = &udev->descriptor;
srclen = sizeof(struct usb_device_descriptor);
--
2.18.2
Powered by blists - more mailing lists