| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202507230548.g6zwppI6-lkp@intel.com>
Date: Wed, 23 Jul 2025 06:10:26 +0800
From: kernel test robot <lkp@...el.com>
To: Arnaud Lecomte <contact@...aud-lcm.com>, gregkh@...uxfoundation.org
Cc: oe-kbuild-all@...ts.linux.dev, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org, viro@...iv.linux.org.uk,
snovitoll@...il.com,
syzbot+86b6d7c8bcc66747c505@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com, contact@...aud-lcm.com
Subject: Re: [PATCH] usb: mon: Fix slab-out-of-bounds in mon_bin_event due to
unsafe URB transfer_buffer access
Hi Arnaud,
kernel test robot noticed the following build warnings:
[auto build test WARNING on usb/usb-testing]
[also build test WARNING on usb/usb-next usb/usb-linus westeri-thunderbolt/next linus/master v6.16-rc7 next-20250722]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Arnaud-Lecomte/usb-mon-Fix-slab-out-of-bounds-in-mon_bin_event-due-to-unsafe-URB-transfer_buffer-access/20250721-040222
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
patch link: https://lore.kernel.org/r/20250720200057.19720-1-contact%40arnaud-lcm.com
patch subject: [PATCH] usb: mon: Fix slab-out-of-bounds in mon_bin_event due to unsafe URB transfer_buffer access
config: m68k-randconfig-r073-20250723 (https://download.01.org/0day-ci/archive/20250723/202507230548.g6zwppI6-lkp@intel.com/config)
compiler: m68k-linux-gcc (GCC) 14.3.0
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202507230548.g6zwppI6-lkp@intel.com/
smatch warnings:
drivers/usb/mon/mon_bin.c:422 mon_bin_get_data() warn: unsigned 'mon_copy_to_buff(rp, offset, urb->transfer_buffer, length)' is never less than zero.
drivers/usb/mon/mon_bin.c:443 mon_bin_get_data() warn: unsigned 'offset' is never less than zero.
vim +422 drivers/usb/mon/mon_bin.c
409
410 static unsigned int mon_bin_get_data(const struct mon_reader_bin *rp,
411 unsigned int offset, struct urb *urb, unsigned int length,
412 char *flag)
413 {
414 int i;
415 struct scatterlist *sg;
416 unsigned int this_len;
417
418 *flag = 0;
419 if (urb->num_sgs == 0) {
420 if (
421 urb->transfer_buffer == NULL ||
> 422 mon_copy_to_buff(rp, offset, urb->transfer_buffer, length) < 0
423 ) {
424 *flag = 'Z';
425 return length;
426 }
427 length = 0;
428
429 } else {
430 /* If IOMMU coalescing occurred, we cannot trust sg_page */
431 if (urb->transfer_flags & URB_DMA_SG_COMBINED) {
432 *flag = 'D';
433 return length;
434 }
435
436 /* Copy up to the first non-addressable segment */
437 for_each_sg(urb->sg, sg, urb->num_sgs, i) {
438 if (length == 0 || PageHighMem(sg_page(sg)))
439 break;
440 this_len = min_t(unsigned int, sg->length, length);
441 offset = mon_copy_to_buff(rp, offset, sg_virt(sg),
442 this_len);
> 443 if (offset < 0) {
444 *flag = 'Z';
445 return length;
446 }
447 length -= this_len;
448 }
449 if (i == 0)
450 *flag = 'D';
451 }
452
453 return length;
454 }
455
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists