lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YuEElC563HN5ldMu@kroah.com>
Date:   Wed, 27 Jul 2022 11:25:40 +0200
From:   "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
To:     Andy Guo (郭卫斌) <guoweibin@...pur.com>
Cc:     "b-liu@...com" <b-liu@...com>,
        "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] usb: musb: Fix musb_gadget.c rxstate may cause
 request->buf overflow problems

On Wed, Jul 27, 2022 at 08:43:34AM +0000, Andy Guo (郭卫斌) wrote:
> From: guoweibin <guoweibin@...pur.com>

Your From: in your email has your real name, why not use that instead of
just putting your email alias here?

> 
> when the rxstate function executes the 'goto buffer_aint_mapped' code
> branch, it will always copy the fifocnt bytes data to request->buf,
> which may cause request->buf out of bounds. for Ethernet-over-USB will
> cause skb_over_panic when a packet larger than mtu is recived.

How can we get a bigger packet than mtu?

> 
> Fix it by add the length check :
> fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);
> 
> Signed-off-by: guoweibin <guoweibin@...pur.com>

Same here.

> ---
>  v2:
> -fix format error
>  drivers/usb/musb/musb_gadget.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
> index 51274b87f46c..4ad5a1f31d7e 100644
> --- a/drivers/usb/musb/musb_gadget.c
> +++ b/drivers/usb/musb/musb_gadget.c
> @@ -760,6 +760,7 @@ static void rxstate(struct musb *musb, struct musb_request *req)
>  			musb_writew(epio, MUSB_RXCSR, csr);
>  
>  buffer_aint_mapped:
> +			fifo_count = min_t(unsigned, request->length - request->actual, fifo_count);

Why the case to "unsigned"?

And if we get a too big packet, shouldn't we drop it?

And what does this have to do with a usb-ethernet device, this is in the
generic musb code, not an ethernet driver.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ