| Message ID | 20181008191913.11527-1-sudip.mukherjee@codethink.co.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | usbip: vhci_hcd: check port number before using | expand |
Hi Sudip, On 10/08/2018 01:19 PM, Sudip Mukherjee wrote: > From: Sudip Mukherjee <sudipm.mukherjee@gmail.com> > > The port number is checked and it just prints an error message but it > still continues to use the invalid port. And as a result it accesses > memory which is not its resulting in BUG report from KASAN. Yes there is an issue with out of bounds access. But this isn't the right fix. > > Reported-by: syzbot+600b03e0cf1b73bb23c4@syzkaller.appspotmail.com > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> I sent in a fix for this last Friday. https://patchwork.kernel.org/patch/10628833/ thanks, -- Shuah
On Mon, Oct 8, 2018 at 8:29 PM Shuah Khan <shuah@kernel.org> wrote: > > Hi Sudip, > > On 10/08/2018 01:19 PM, Sudip Mukherjee wrote: > > From: Sudip Mukherjee <sudipm.mukherjee@gmail.com> > > > > The port number is checked and it just prints an error message but it > > still continues to use the invalid port. And as a result it accesses > > memory which is not its resulting in BUG report from KASAN. > > Yes there is an issue with out of bounds access. But this isn't the > right fix. > > > > > Reported-by: syzbot+600b03e0cf1b73bb23c4@syzkaller.appspotmail.com > > Cc: stable <stable@vger.kernel.org> > > Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> > > I sent in a fix for this last Friday. > > https://patchwork.kernel.org/patch/10628833/ And I can confirm this patch also fixes the issue tested with the reproducer I was using in my vm.
On 10/08/2018 02:01 PM, Sudip Mukherjee wrote: > On Mon, Oct 8, 2018 at 8:29 PM Shuah Khan <shuah@kernel.org> wrote: >> >> Hi Sudip, >> >> On 10/08/2018 01:19 PM, Sudip Mukherjee wrote: >>> From: Sudip Mukherjee <sudipm.mukherjee@gmail.com> >>> >>> The port number is checked and it just prints an error message but it >>> still continues to use the invalid port. And as a result it accesses >>> memory which is not its resulting in BUG report from KASAN. >> >> Yes there is an issue with out of bounds access. But this isn't the >> right fix. >> >>> >>> Reported-by: syzbot+600b03e0cf1b73bb23c4@syzkaller.appspotmail.com >>> Cc: stable <stable@vger.kernel.org> >>> Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> >> >> I sent in a fix for this last Friday. >> >> https://patchwork.kernel.org/patch/10628833/ > > And I can confirm this patch also fixes the issue tested with the > reproducer I was using in my vm. > > Great Thanks for testing the patch. thanks, -- Shuah
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index d11f3f8dad40..71883aa788ac 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -334,8 +334,10 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, usbip_dbg_vhci_rh("typeReq %x wValue %x wIndex %x\n", typeReq, wValue, wIndex); - if (wIndex > VHCI_HC_PORTS) + if (wIndex > VHCI_HC_PORTS) { pr_err("invalid port number %d\n", wIndex); + return -ENODEV; + } rhport = wIndex - 1; vhci_hcd = hcd_to_vhci_hcd(hcd);