projects / profile / wearable / platform / kernel / linux-4.9-exynos9110.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e39b171)
USB: devio: Don't corrupt user memory
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 22 Sep 2017 20:43:46 +0000 (23:43 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 12 Oct 2017 09:51:17 +0000 (11:51 +0200)
commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream.

The user buffer has "uurb->buffer_length" bytes.  If the kernel has more
information than that, we should truncate it instead of writing past
the end of the user's buffer.  I added a WARN_ONCE() to help the user
debug the issue.

Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/core/devio.c patch | blob | history

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index c8075eb..860108c 100644 (file)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1577,7 +1577,11 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
                        totlen += isopkt[u].length;
                }
                u *= sizeof(struct usb_iso_packet_descriptor);
-               uurb->buffer_length = totlen;
+               if (totlen <= uurb->buffer_length)
+                       uurb->buffer_length = totlen;
+               else
+                       WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
+                                 totlen, uurb->buffer_length);
                break;
 
        default:
Domain: System / Kernel;