| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <krqj4q5xxp5tm3ufwmoyb7qcxnz5xoj5clebegdokq6mpjqb4t@mxonqsrhx2wt>
Date: Thu, 20 Nov 2025 15:37:08 +0530
From: Gopi Krishna Menon <krishnagopi487@...il.com>
To: andreyknvl@...il.com, gregkh@...uxfoundation.org
Cc: gregkh@...uxfoundation.org, snovitoll@...il.com,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
david.hunter.linux@...il.com, khalid@...nel.org, linux-kernel-mentees@...ts.linux.dev,
syzbot+d8fd35fa6177afa8c92b@...kaller.appspotmail.com
Subject: Re: [PATCH] usb: raw-gadget: cap raw_io transfer length to
KMALLOC_MAX_SIZE
On Thu, Nov 13, 2025 at 10:09:08PM +0530, Gopi Krishna Menon wrote:
> On Tue, Oct 28, 2025 at 09:15:47PM +0100, Andrey Konovalov wrote:
>
> > On Tue, Oct 28, 2025 at 5:57 PM Gopi Krishna Menon
> > <krishnagopi487@...il.com> wrote:
> > >
> > > The previous commit removed the PAGE_SIZE limit on transfer length of
> > > raw_io buffer in order to avoid any problems with emulating USB devices
> > > whose full configuration descriptor exceeds PAGE_SIZE in length. However
> > > this also removes the upperbound on user supplied length, allowing very
> > > large values to be passed to the allocator.
> > >
> > > syzbot on fuzzing the transfer length with very large value (1.81GB)
> > > results in kmalloc() to fall back to the page allocator, which triggers
> > > a kernel warning as the page allocator cannot handle allocations more
> > > than MAX_PAGE_ORDER/KMALLOC_MAX_SIZE.
> >
> > Ah, right.
> >
> > >
> > > Since there is no limit imposed on the size of buffer for both control
> > > and non control transfers, cap the raw_io transfer length to
> > > KMALLOC_MAX_SIZE and return -EINVAL for larger transfer length to
> > > prevent any warnings from the page allocator.
> > >
> > > Fixes: 37b9dd0d114a ("usb: raw-gadget: do not limit transfer length")
> > > Tested-by: syzbot+d8fd35fa6177afa8c92b@...kaller.appspotmail.com
> > > Reported-by: syzbot+d8fd35fa6177afa8c92b@...kaller.appspotmail.com
> > > Closes: https://lore.kernel.org/all/68fc07a0.a70a0220.3bf6c6.01ab.GAE@google.com/
> > > Signed-off-by: Gopi Krishna Menon <krishnagopi487@...il.com>
> > > ---
> > > drivers/usb/gadget/legacy/raw_gadget.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
> > > index b71680c58de6..46f343ba48b3 100644
> > > --- a/drivers/usb/gadget/legacy/raw_gadget.c
> > > +++ b/drivers/usb/gadget/legacy/raw_gadget.c
> > > @@ -40,6 +40,7 @@ MODULE_LICENSE("GPL");
> > >
> > > static DEFINE_IDA(driver_id_numbers);
> > > #define DRIVER_DRIVER_NAME_LENGTH_MAX 32
> > > +#define USB_RAW_IO_LENGTH_MAX KMALLOC_MAX_SIZE
> > >
> > > #define RAW_EVENT_QUEUE_SIZE 16
> > >
> > > @@ -667,6 +668,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
> > > return ERR_PTR(-EINVAL);
> > > if (!usb_raw_io_flags_valid(io->flags))
> > > return ERR_PTR(-EINVAL);
> > > + if (io->length > USB_RAW_IO_LENGTH_MAX)
> > > + return ERR_PTR(-EINVAL);
> > > if (get_from_user)
> > > data = memdup_user(ptr + sizeof(*io), io->length);
> > > else {
> > > --
> > > 2.43.0
> > >
> >
> > Reviewed-by: Andrey Konovalov <andreyknvl@...il.com>
> >
> > Thank you!
>
> Hi,
>
> Just following up on this patch to check its status.
> Thanks again to Andrey Konovalov for the earlier review. Please let me
> know if any further changes are required from my side.
>
> Thanks,
> Gopi Krishna Menon
Hi Greg,
Could you please take a look at this patch?
Thanks,
Gopi Krishna Menon
Powered by blists - more mailing lists