| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID:
<CO1PR17MB5419BD664264A558B2395E28E1112@CO1PR17MB5419.namprd17.prod.outlook.com>
Date: Tue, 23 Apr 2024 18:02:15 +0000
From: Chris Wulff <Chris.Wulff@...mp.com>
To: "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>
CC: Greg KH <gregkh@...uxfoundation.org>, Jerry Zhang <zhangjerry@...gle.com>,
Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
Jeff Layton
<jlayton@...nel.org>,
Paul Cercueil <paul@...pouillou.net>,
Kees Cook
<keescook@...omium.org>,
Chris Wulff <Chris.Wulff@...mp.com>,
Uttkarsh
Aggarwal <quic_uaggarwa@...cinc.com>,
Dmitry Antipov <dmantipov@...dex.ru>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-stable@...r.kernel.org" <linux-stable@...r.kernel.org>
Subject: [PATCH v2] usb: gadget: f_fs: Fix a race condition when processing
setup packets.
If the USB driver passes a pointer into the TRB buffer for creq, this
buffer can be overwritten with the status response as soon as the event
is queued. This can make the final check return USB_GADGET_DELAYED_STATUS
when it shouldn't. Instead use the stored wLength.
Fixes: 4d644abf2569 ("usb: gadget: f_fs: Only return delayed status when len is 0")
Signed-off-by: Chris Wulff <chris.wulff@...mp.com>
---
v2: Added fixes tag
drivers/usb/gadget/function/f_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index bffbc1dc651f..8d72acf9a760 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -3803,7 +3803,7 @@ static int ffs_func_setup(struct usb_function *f,
__ffs_event_add(ffs, FUNCTIONFS_SETUP);
spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
- return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
+ return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
}
static bool ffs_func_req_match(struct usb_function *f,
--
2.34.1
Powered by blists - more mailing lists