| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025071116-landline-antelope-5c9f@gregkh> Date: Fri, 11 Jul 2025 08:51:30 +0200 From: Greg KH <gregkh@...uxfoundation.org> To: jackysliu <1972843537@...com> Cc: linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org, viro@...iv.linux.org.uk Subject: Re: [PATCH v2] usb: gadget: functioni: Fix a oob problem in rndis On Fri, Jul 11, 2025 at 02:40:19PM +0800, jackysliu wrote: > On Fri, Jul 11, 2025 at 11:46:35AM +0800, greg k-h wrote > >Sure, but again, BufLength is not used for anything, so the value of > >that variable means nothing as far as I can tell. > >How exactly? Again, BufLength isn't even used in that function > function contains below code: > if (gen_ndis_set_resp(params, le32_to_cpu(buf->OID), > ((u8 *)buf) + 8 + BufOffset, BufLength, r)) > ((u8 *)buf) + 8 + BufOffset determins base address of buffer > and BufLength determins buflen. Yes, and then look to see what buf_len (not buflen) in gen_ndis_set_resp() is used for. I'll wait... :) > >How was this tested? > > > >And even more importantly, how did you find this bug? What triggered > >it? > I detected this problem through static analysis and calibrated > the device via qemu emulation. What tool generated this static analysis? You always have to mention that as per our development rules. And what qemu setup did you use to test this? That would be helpful to know so that I can verify it on my end. thanks, greg k-h
Powered by blists - more mailing lists