| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250703-fix-oob-mon_copy_to_buff-v1-1-1aa7f5723d91@iiitd.ac.in>
Date: Thu, 03 Jul 2025 02:57:40 +0530
From: Manas Gupta via B4 Relay <devnull+manas18244.iiitd.ac.in@...nel.org>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Pete Zaitcev <zaitcev@...hat.com>, Paolo Abeni <paolo.abeni@...il.it>
Cc: linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...e.de>,
syzbot+86b6d7c8bcc66747c505@...kaller.appspotmail.com,
Manas Gupta <manas18244@...td.ac.in>
Subject: [PATCH] usbmon: Fix out-of-bounds read in mon_copy_to_buff
From: Manas Gupta <manas18244@...td.ac.in>
memcpy tries to copy buffer 'from' when it is empty. This leads to
out-of-bounds crash.
This checks if the buffer is already empty and throws an appropriate
error message before bailing out.
Fixes: 6f23ee1fefdc1 ("USB: add binary API to usbmon")
Reported-by: syzbot+86b6d7c8bcc66747c505@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=86b6d7c8bcc66747c505
Signed-off-by: Manas Gupta <manas18244@...td.ac.in>
---
I have used printk(KERN_ERR ... to keep things consistent in usbmon.
dev_err and pr_err are not used anywhere else in usbmon.
---
drivers/usb/mon/mon_bin.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c
index c93b43f5bc4614ad75568b601c47a1ae51f01fa5..bd945052f6fb821ba814fab96eba5a82e5d161e2 100644
--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -249,6 +249,11 @@ static unsigned int mon_copy_to_buff(const struct mon_reader_bin *this,
* Copy data and advance pointers.
*/
buf = this->b_vec[off / CHUNK_SIZE].ptr + off % CHUNK_SIZE;
+ if (!strlen(from)) {
+ printk(KERN_ERR TAG
+ ": src buffer is empty, cannot copy from it\n");
+ return -ENOMEM;
+ }
memcpy(buf, from, step_len);
if ((off += step_len) >= this->b_size) off = 0;
from += step_len;
---
base-commit: d0b3b7b22dfa1f4b515fd3a295b3fd958f9e81af
change-id: 20250703-fix-oob-mon_copy_to_buff-7cfe26e819b9
Best regards,
--
Manas Gupta <manas18244@...td.ac.in>
Powered by blists - more mailing lists