lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <71613c2a-73d5-4f6e-a71b-03a2aa0f7bdf@suse.com>
Date: Wed, 8 Oct 2025 23:23:59 +0200
From: Oliver Neukum <oneukum@...e.com>
To: Thorsten Blum <thorsten.blum@...ux.dev>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Alan Stern <stern@...land.harvard.edu>, Rex Nie <rex.nie@...uarmicro.com>,
 Jann Horn <jannh@...gle.com>
Cc: linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] USB: core: replace kmalloc + copy_from_user with
 memdup_user

Hi,

On 19.09.25 13:56, Thorsten Blum wrote:
> Replace kmalloc() followed by copy_from_user() with memdup_user() to
> simplify and improve proc_do_submiturb(). Replace the hard-coded 8 bytes
> with the size of 'struct usb_ctrlrequest'.
> 
> Return early if an error occurs, and avoid manually setting 'ret' and
> using 'goto error'.
> 
> No functional changes intended.
> 
> Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
> ---
>   drivers/usb/core/devio.c | 10 +++-------
>   1 file changed, 3 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index f6ce6e26e0d4..3bc54a5c59ff 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -1670,13 +1670,9 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
>   		/* min 8 byte setup packet */
>   		if (uurb->buffer_length < 8)
>   			return -EINVAL;
> -		dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
> -		if (!dr)
> -			return -ENOMEM;
> -		if (copy_from_user(dr, uurb->buffer, 8)) {
> -			ret = -EFAULT;
> -			goto error;
> -		}
> +		dr = memdup_user(uurb->buffer, sizeof(struct usb_ctrlrequest));

You cannot do this. User space cannot and must not know or care how long
struct usb_ctrlrequest is. It is a data structure internal to the kernel.
For the purpose of this API we copy 8 bytes. That is set in stone.
If the kernel's data structure ever changes length, we will have
to define a new ioctl.

You have to leave the literal 8.

	Regards
		Oliver

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ