| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d7ff6bd0-358a-4f84-a98c-ababe9c87082@salutedevices.com> Date: Wed, 17 Dec 2025 16:56:53 +0300 From: Arseniy Krasnov <avkrasnov@...utedevices.com> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org> CC: Akash M <akash.m5@...sung.com>, <oxffffaa@...il.com>, <linux-usb@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <kernel@...utedevices.com> Subject: Re: [PATCH v1] usb: gadget: f_fs: trim extra bytes from USB req 17.12.2025 16:35, Greg Kroah-Hartman пишет: > On Tue, Dec 09, 2025 at 04:44:11PM +0300, Arseniy Krasnov wrote: >> In '__ffs_epfile_read_data()' number of bytes to copy to user iter is >> returned by USB driver in field 'actual' of structure 'usb_request' >> (see 'ffs_epfile_io_complete()'). Looks like some buggy driver may >> return value larger than actual size of kernel buffer of such USB >> request. This leads to the following crash (produced on 'dwc2' USB >> driver). To prevent this, let's add extra check, which trims reported >> request length. > > Why not fix the broken driver instead? That would resolve this > properly, and not force the gadget code to work around obviously-broken > kernel code. > I tried to debug driver (dwc2), but it is unclear how this happens (may be due to some hw issues invalid length is reported). So as extra "protection" I added this code to the common logic. > We try to fix bugs at the root, not paper over them elsewhere. > > So what driver is causing this? I reproduced once with drivers/usb/dwc2 driver. May be such check could be moved inside this driver. In this case only single potential buggy driver will get workaround. > > thanks, > > greg k-h Thanks
Powered by blists - more mailing lists