lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250720200057.19720-1-contact@arnaud-lcm.com>
Date: Sun, 20 Jul 2025 21:00:57 +0100
From: Arnaud Lecomte <contact@...aud-lcm.com>
To: gregkh@...uxfoundation.org
Cc: linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	viro@...iv.linux.org.uk,
	snovitoll@...il.com,
	syzbot+86b6d7c8bcc66747c505@...kaller.appspotmail.com,
	syzkaller-bugs@...glegroups.com,
	contact@...aud-lcm.com
Subject: [PATCH] usb: mon: Fix slab-out-of-bounds in mon_bin_event due to
 unsafe URB transfer_buffer access

The syzkaller fuzzer uncovered a kernel slab-out-of-bounds
 write in the USB monitoring subsystem (mon_bin) when handling
 a malformed URB (USB Request Block) with the following properties:
 - transfer_buffer_length = 0xffff
 - actual_length = 0x0 (no data transferred)
 - number_of_packets = 0x0 (non-isochronous transfer)

When reaching the mon_copy_to_buff function,
 we will try to copy into the mon rp bin with the following parameters:
off=0xcc0, from=0xffff8880246df5e1 "", length=0xf000

At the first iteration, the step_len is 0x340 and it is during the mem_cpy
that the slab-out-of-bounds happens.
As step_len < transfer_buffer_length, we can deduce that it is related
 to an issue with the transfer_buffer being invalid.
The patch proposes a safe access to the kernel
 kernel buffer urb->transfer_buffer with `copy_from_kernel_nofault`.

Reported-by: syzbot+86b6d7c8bcc66747c505@...kaller.appspotmail.com
Fixes: 6f23ee1fefdc1 ("USB: add binary API to usbmon")
Closes: https://syzkaller.appspot.com/bug?extid=86b6d7c8bcc66747c505
Tested-by: syzbot+86b6d7c8bcc66747c505@...kaller.appspotmail.com
Signed-off-by: Arnaud Lecomte <contact@...aud-lcm.com>
---
 drivers/usb/mon/mon_bin.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c
index c93b43f5bc46..d3bef2a37eb0 100644
--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -249,7 +249,11 @@ static unsigned int mon_copy_to_buff(const struct mon_reader_bin *this,
 		 * Copy data and advance pointers.
 		 */
 		buf = this->b_vec[off / CHUNK_SIZE].ptr + off % CHUNK_SIZE;
-		memcpy(buf, from, step_len);
+
+		if (copy_from_kernel_nofault(buf, from, step_len)) {
+			pr_warn("Failed to copy URB transfer buffer content into mon bin.");
+			return -EFAULT;
+		}
 		if ((off += step_len) >= this->b_size) off = 0;
 		from += step_len;
 		length -= step_len;
@@ -413,11 +417,13 @@ static unsigned int mon_bin_get_data(const struct mon_reader_bin *rp,
 
 	*flag = 0;
 	if (urb->num_sgs == 0) {
-		if (urb->transfer_buffer == NULL) {
+		if (
+			urb->transfer_buffer == NULL ||
+			mon_copy_to_buff(rp, offset, urb->transfer_buffer, length) < 0
+		) {
 			*flag = 'Z';
 			return length;
 		}
-		mon_copy_to_buff(rp, offset, urb->transfer_buffer, length);
 		length = 0;
 
 	} else {
@@ -434,6 +440,10 @@ static unsigned int mon_bin_get_data(const struct mon_reader_bin *rp,
 			this_len = min_t(unsigned int, sg->length, length);
 			offset = mon_copy_to_buff(rp, offset, sg_virt(sg),
 					this_len);
+			if (offset < 0) {
+				*flag = 'Z';
+				return length;
+			}
 			length -= this_len;
 		}
 		if (i == 0)
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ