| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251209134412.577797-1-avkrasnov@salutedevices.com>
Date: Tue, 9 Dec 2025 16:44:11 +0300
From: Arseniy Krasnov <avkrasnov@...utedevices.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Akash M
<akash.m5@...sung.com>
CC: <oxffffaa@...il.com>, <linux-usb@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <kernel@...utedevices.com>, Arseniy Krasnov
<avkrasnov@...utedevices.com>
Subject: [PATCH v1] usb: gadget: f_fs: trim extra bytes from USB req
In '__ffs_epfile_read_data()' number of bytes to copy to user iter is
returned by USB driver in field 'actual' of structure 'usb_request'
(see 'ffs_epfile_io_complete()'). Looks like some buggy driver may
return value larger than actual size of kernel buffer of such USB
request. This leads to the following crash (produced on 'dwc2' USB
driver). To prevent this, let's add extra check, which trims reported
request length.
[] usercopy: Kernel memory exposure attempt detected from SLUB
object 'kmalloc-32' (offset 0, size 64)!
[] ------------[ cut here ]------------
[] kernel BUG at mm/usercopy.c:102!
[] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
[] Modules linked in: vlsicomm(O)
[] CPU: 1 UID: 0 PID: 768 Comm: adbd Tainted: G O 6.15.11-sdkernel #1
PREEMPT
[] Tainted: [O]=OOT_MODULE
[] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[] pc : usercopy_abort+0x8c/0x90
[] lr : usercopy_abort+0x8c/0x90
[] sp : ffff800082283830
[] x29: ffff800082283840 x28: ffff0000034e6300 x27: 0000000000000000
[] x26: 0000000000000000 x25: ffff0000026b1f80 x24: 0001000000000000
[] x23: 000000000371dac0 x22: 0000000000000001 x21: ffff00000371db00
[] x20: 0000000000000040 x19: ffff00000371dac0 x18: 0000000000000006
[] x17: 656a626f2042554c x16: 53206d6f72662064 x15: 6574636574656420
[] x14: 00000000ffffffea x13: ffff800082283598 x12: ffff800080d70ec0
[] x11: ffff800080d5af18 x10: ffff800080d70f18 x9 : 0000000000000001
[] x8 : 0000000000000001 x7 : 0000000000005fe8 x6 : c0000000fffffbff
[] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[] x2 : 0000000000000000 x1 : ffff00000119cd80 x0 : 0000000000000064
[] Call trace:
[] usercopy_abort+0x8c/0x90 (P)
[] **check_heap_object+0xd4/0xf0
[]** check_object_size+0x204/0x2b0
[] ffs_epfile_io+0x6b8/0x820
[] ffs_epfile_read_iter+0xb4/0x180
[] vfs_read+0x2f4/0x320
[] ksys_read+0xec/0x110
[] __arm64_sys_read+0x1c/0x30
[] invoke_syscall+0x70/0x100
[] el0_svc_common.constprop.0+0x40/0xe0
[] do_el0_svc_compat+0x1c/0x40
[] el0_svc_compat+0x2c/0x80
[] el0t_32_sync_handler+0xb0/0x140
[] el0t_32_sync+0x1a0/0x1a4
[] Code: aa0003e3 90005960 91244000 97fff3d5 (d4210000)
[] ---[ end trace 0000000000000000 ]---
[] Kernel panic - not syncing: Oops - BUG: Fatal exception
[] SMP: stopping secondary CPUs
[] Kernel Offset: disabled
[] CPU features: 0x0000,00000000,01000000,0200420b
[] Memory Limit: none
[] Rebooting in 5 seconds..
Signed-off-by: Arseniy Krasnov <avkrasnov@...utedevices.com>
---
drivers/usb/gadget/function/f_fs.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 2dea9e42a0f86..de27dc93d0c55 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1142,11 +1142,18 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
if (interrupted)
ret = -EINTR;
- else if (io_data->read && io_data->status > 0)
+ else if (io_data->read && io_data->status > 0) {
+ if (io_data->status > data_len) {
+ dev_warn(&epfile->ffs->gadget->dev,
+ "trim read length from %d to %zi\n",
+ io_data->status, data_len);
+ io_data->status = data_len;
+ }
ret = __ffs_epfile_read_data(epfile, data, io_data->status,
&io_data->data);
- else
+ } else {
ret = io_data->status;
+ }
goto error_mutex;
} else if (!(req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC))) {
ret = -ENOMEM;
--
2.47.3
Powered by blists - more mailing lists