lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <86298eaa-aee8-18fe-d389-8522c6746578@mev.co.uk>
Date:   Tue, 26 Oct 2021 15:34:27 +0100
From:   Ian Abbott <abbotti@....co.uk>
To:     Johan Hovold <johan@...nel.org>,
        H Hartley Sweeten <hsweeten@...ionengravers.com>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org
Subject: Re: [PATCH 4/5] comedi: vmk80xx: fix bulk-buffer overflow

On 25/10/2021 12:45, Johan Hovold wrote:
> The driver is using endpoint-sized buffers but must not assume that the
> tx and rx buffers are of equal size or a malicious device could overflow
> the slab-allocated receive buffer when doing bulk transfers.
> 
> Fixes: 985cafccbf9b ("Staging: Comedi: vmk80xx: Add k8061 support")
> Cc: stable@...r.kernel.org      # 2.6.31
> Signed-off-by: Johan Hovold <johan@...nel.org>
> ---
>   drivers/comedi/drivers/vmk80xx.c | 16 +++++++---------
>   1 file changed, 7 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/comedi/drivers/vmk80xx.c b/drivers/comedi/drivers/vmk80xx.c
> index f2c1572d0cd7..9c56918e3b76 100644
> --- a/drivers/comedi/drivers/vmk80xx.c
> +++ b/drivers/comedi/drivers/vmk80xx.c
> @@ -159,22 +159,20 @@ static void vmk80xx_do_bulk_msg(struct comedi_device *dev)
>   	__u8 rx_addr;
>   	unsigned int tx_pipe;
>   	unsigned int rx_pipe;
> -	size_t size;
> +	size_t tx_size;
> +	size_t rx_size;
>   
>   	tx_addr = devpriv->ep_tx->bEndpointAddress;
>   	rx_addr = devpriv->ep_rx->bEndpointAddress;
>   	tx_pipe = usb_sndbulkpipe(usb, tx_addr);
>   	rx_pipe = usb_rcvbulkpipe(usb, rx_addr);
> -
> -	/*
> -	 * The max packet size attributes of the K8061
> -	 * input/output endpoints are identical
> -	 */
> -	size = usb_endpoint_maxp(devpriv->ep_tx);
> +	tx_size = usb_endpoint_maxp(devpriv->ep_tx);
> +	rx_size = usb_endpoint_maxp(devpriv->ep_rx);
>   
>   	usb_bulk_msg(usb, tx_pipe, devpriv->usb_tx_buf,
> -		     size, NULL, devpriv->ep_tx->bInterval);
> -	usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, size, NULL, HZ * 10);
> +		     tx_size, NULL, devpriv->ep_tx->bInterval);
> +
> +	usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, rx_size, NULL, HZ * 10);
>   }
>   
>   static int vmk80xx_read_packet(struct comedi_device *dev)
> 

Looks good, thanks!

Reviewed-by: Ian Abbott <abbotti@....co.uk>

-- 
-=( Ian Abbott <abbotti@....co.uk> || MEV Ltd. is a company  )=-
-=( registered in England & Wales.  Regd. number: 02862268.  )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ