| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <659844BA-48EF-47E1-8D66-D4CA98359BBF@kernel.org>
Date: Sun, 22 Jun 2025 13:02:20 -0700
From: Kees Cook <kees@...nel.org>
To: asmadeus@...ewreck.org,
Dominique Martinet via B4 Relay <devnull+asmadeus.codewreck.org@...nel.org>,
Eric Van Hensbergen <ericvh@...nel.org>, Latchesar Ionkov <lucho@...kov.net>,
Christian Schoenebeck <linux_oss@...debyte.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Michael Grzeschik <m.grzeschik@...gutronix.de>
CC: stable@...r.kernel.org, Yuhao Jiang <danisjiang@...il.com>,
security@...nel.org, v9fs@...ts.linux.dev, linux-kernel@...r.kernel.org,
Dominique Martinet <asmadeus@...ewreck.org>
Subject: Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer
On June 22, 2025 6:39:56 AM PDT, Dominique Martinet via B4 Relay <devnull+asmadeus.codewreck.org@...nel.org> wrote:
> [...]
>Add validation in usb9pfs_rx_complete() to ensure req->actual does not
>exceed the buffer capacity before copying data.
> [...]
>+ if (req_size > p9_rx_req->rc.capacity) {
>+ dev_err(&cdev->gadget->dev,
>+ "%s received data size %u exceeds buffer capacity %zu\n",
>+ ep->name, req_size, p9_rx_req->rc.capacity);
>+ req_size = 0;
>+ status = REQ_STATUS_ERROR;
>+ }
>
>- p9_rx_req->rc.size = req->actual;
>+ memcpy(p9_rx_req->rc.sdata, req->buf, req_size);
Is rc.sdata always rc.capacity sized? If so, this world be a good first adopter of the __counted_by annotation for pointer struct members, available in Clang trunk and soon in GCC:
https://gcc.gnu.org/pipermail/gcc-patches/2025-May/683696.html
-Kees
--
Kees Cook
Powered by blists - more mailing lists