lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 23 Apr 2024 18:02:15 +0000
From: Chris Wulff <Chris.Wulff@...mp.com>
To: "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>
CC: Greg KH <gregkh@...uxfoundation.org>, Jerry Zhang <zhangjerry@...gle.com>,
        Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
        Jeff Layton
	<jlayton@...nel.org>,
        Paul Cercueil <paul@...pouillou.net>,
        Kees Cook
	<keescook@...omium.org>,
        Chris Wulff <Chris.Wulff@...mp.com>,
        Uttkarsh
 Aggarwal <quic_uaggarwa@...cinc.com>,
        Dmitry Antipov <dmantipov@...dex.ru>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-stable@...r.kernel.org" <linux-stable@...r.kernel.org>
Subject: [PATCH v2] usb: gadget: f_fs: Fix a race condition when processing
 setup packets.

If the USB driver passes a pointer into the TRB buffer for creq, this
buffer can be overwritten with the status response as soon as the event
is queued. This can make the final check return USB_GADGET_DELAYED_STATUS
when it shouldn't. Instead use the stored wLength.

Fixes: 4d644abf2569 ("usb: gadget: f_fs: Only return delayed status when len is 0")
Signed-off-by: Chris Wulff <chris.wulff@...mp.com>
---
v2: Added fixes tag

 drivers/usb/gadget/function/f_fs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index bffbc1dc651f..8d72acf9a760 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -3803,7 +3803,7 @@ static int ffs_func_setup(struct usb_function *f,
 	__ffs_event_add(ffs, FUNCTIONFS_SETUP);
 	spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
 
-	return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
+	return ffs->ev.setup.wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
 }
 
 static bool ffs_func_req_match(struct usb_function *f,
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ