| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7acfffb210974cff959d056ef88221de@inspur.com>
Date: Wed, 27 Jul 2022 07:21:39 +0000
From: Andy Guo (郭卫斌) <guoweibin@...pur.com>
To: "b-liu@...com" <b-liu@...com>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
CC: "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: [PATCH] usb: musb: Fix musb_gadget.c rxstate may cause request->buf
overflow problems
when the rxstate function executes the 'goto buffer_aint_mapped' code
branch, it will always copy the fifocnt bytes data to request->buf,
which may cause request->buf out of bounds. for Ethernet-over-USB will
cause skb_over_panic when a packet larger than mtu is recived.
Fix it by add the length check :
fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);
Signed-off-by: guoweibin <guoweibin@...pur.com>
---
drivers/usb/musb/musb_gadget.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
index 51274b87f46c..4ad5a1f31d7e 100644
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -760,6 +760,7 @@ static void rxstate(struct musb *musb, struct musb_request *req)
musb_writew(epio, MUSB_RXCSR, csr);
buffer_aint_mapped:
+ fifo_count = min_t(unsigned, request->length - request->actual, fifo_count);
musb_read_fifo(musb_ep->hw_ep, fifo_count, (u8 *)
(request->buf + request->actual));
request->actual += fifo_count;
Download attachment "smime.p7s" of type "application/pkcs7-signature" (3801 bytes)
Powered by blists - more mailing lists