| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+fCnZeZ+c15X8BXg59ppbEmEUvp64aMaTPjXARyO_0x6KL+eQ@mail.gmail.com>
Date: Tue, 28 Oct 2025 21:15:47 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: Gopi Krishna Menon <krishnagopi487@...il.com>
Cc: gregkh@...uxfoundation.org, snovitoll@...il.com, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
david.hunter.linux@...il.com, khalid@...nel.org,
linux-kernel-mentees@...ts.linux.dev,
syzbot+d8fd35fa6177afa8c92b@...kaller.appspotmail.com
Subject: Re: [PATCH] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE
On Tue, Oct 28, 2025 at 5:57 PM Gopi Krishna Menon
<krishnagopi487@...il.com> wrote:
>
> The previous commit removed the PAGE_SIZE limit on transfer length of
> raw_io buffer in order to avoid any problems with emulating USB devices
> whose full configuration descriptor exceeds PAGE_SIZE in length. However
> this also removes the upperbound on user supplied length, allowing very
> large values to be passed to the allocator.
>
> syzbot on fuzzing the transfer length with very large value (1.81GB)
> results in kmalloc() to fall back to the page allocator, which triggers
> a kernel warning as the page allocator cannot handle allocations more
> than MAX_PAGE_ORDER/KMALLOC_MAX_SIZE.
Ah, right.
>
> Since there is no limit imposed on the size of buffer for both control
> and non control transfers, cap the raw_io transfer length to
> KMALLOC_MAX_SIZE and return -EINVAL for larger transfer length to
> prevent any warnings from the page allocator.
>
> Fixes: 37b9dd0d114a ("usb: raw-gadget: do not limit transfer length")
> Tested-by: syzbot+d8fd35fa6177afa8c92b@...kaller.appspotmail.com
> Reported-by: syzbot+d8fd35fa6177afa8c92b@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/all/68fc07a0.a70a0220.3bf6c6.01ab.GAE@google.com/
> Signed-off-by: Gopi Krishna Menon <krishnagopi487@...il.com>
> ---
> drivers/usb/gadget/legacy/raw_gadget.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
> index b71680c58de6..46f343ba48b3 100644
> --- a/drivers/usb/gadget/legacy/raw_gadget.c
> +++ b/drivers/usb/gadget/legacy/raw_gadget.c
> @@ -40,6 +40,7 @@ MODULE_LICENSE("GPL");
>
> static DEFINE_IDA(driver_id_numbers);
> #define DRIVER_DRIVER_NAME_LENGTH_MAX 32
> +#define USB_RAW_IO_LENGTH_MAX KMALLOC_MAX_SIZE
>
> #define RAW_EVENT_QUEUE_SIZE 16
>
> @@ -667,6 +668,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
> return ERR_PTR(-EINVAL);
> if (!usb_raw_io_flags_valid(io->flags))
> return ERR_PTR(-EINVAL);
> + if (io->length > USB_RAW_IO_LENGTH_MAX)
> + return ERR_PTR(-EINVAL);
> if (get_from_user)
> data = memdup_user(ptr + sizeof(*io), io->length);
> else {
> --
> 2.43.0
>
Reviewed-by: Andrey Konovalov <andreyknvl@...il.com>
Thank you!
Powered by blists - more mailing lists