[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7b25946e-265a-4939-98dc-d31555e143bb@rowland.harvard.edu>
Date: Tue, 12 Nov 2024 10:38:15 -0500
From: Alan Stern <stern@...land.harvard.edu>
To: Sabyrzhan Tasbolatov <snovitoll@...il.com>
Cc: Oliver Neukum <oneukum@...e.com>,
syzbot+9760fbbd535cee131f81@...kaller.appspotmail.com,
gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
linux-usb@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] usb/cdc-wdm: fix memory leak of wdm_device
On Tue, Nov 12, 2024 at 02:34:13PM +0500, Sabyrzhan Tasbolatov wrote:
> On Mon, Nov 11, 2024 at 7:29 PM Alan Stern <stern@...land.harvard.edu> wrote:
> > I don't understand your analysis. As you said, cntr is initially set to
> > the amount in the buffer:
> >
> > If cntr <= count then cntr isn't changed, so the amount of data
> > copied to the user is the same as what is in the buffer.
> >
> > Otherwise, if cntr > count, then cntr is decreased so that the
> > amount copied to the user is no larger than what the user asked
> > for -- but then it's obviously smaller than what's in the buffer.
> >
> > In neither case does the code copy more data than the buffer contains.
>
> Hello,
> I've sent the v3 patch [1] per Oliver's explanation if I interpreted
> it correctly.
> I don't have the reproducer to verify if the patch solves the problem.
> If the analysis or patch is not right, please let me know.
The analysis is not right.
The patch is also not right, because it doesn't change the meaning of
the code (except for one respect, in which it is wrong). I'll send
another email responding to the patch itself.
Alan Stern
Powered by blists - more mailing lists