| Message ID | 20180815204412.wlum4yfudln26cjq@xylophone.i.decadent.org.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] USB: yurex: Fix buffer over-read in yurex_write() | expand |
On Wed, Aug 15, 2018 at 10:44 PM Ben Hutchings <ben.hutchings@codethink.co.uk> wrote: > > If the written data starts with a digit, yurex_write() tries to parse > it as an integer using simple_strtoull(). This requires a null- > terminator, and currently there's no guarantee that there is one. Oh, good catch. > (The sample program at > https://github.com/NeoCat/YUREX-driver-for-Linux/blob/master/sample/yurex_clock.pl > writes an integer without a null terminator. It seems like it must > have worked by chance!) > > Always add a null byte after the written data. Enlarge the buffer > to allow for this. > > Cc: stable@vger.kernel.org > Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> > --- > drivers/usb/misc/yurex.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c > index 3be40eaa1ac9..1232dd49556d 100644 > --- a/drivers/usb/misc/yurex.c > +++ b/drivers/usb/misc/yurex.c > @@ -421,13 +421,13 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, > { > struct usb_yurex *dev; > int i, set = 0, retval = 0; > - char buffer[16]; > + char buffer[16 + 1]; > char *data = buffer; > unsigned long long c, c2 = 0; > signed long timeout = 0; > DEFINE_WAIT(wait); > > - count = min(sizeof(buffer), count); > + count = min(sizeof(buffer) - 1, count); > dev = file->private_data; > > /* verify that we actually have some data to write */ > @@ -446,6 +446,7 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, > retval = -EFAULT; > goto error; > } > + buffer[count] = 0; > memset(dev->cntl_buffer, CMD_PADDING, YUREX_BUF_SIZE); > > switch (buffer[0]) { By the way: A little bit below here, there's some other line that looks bogus: > buffer[6] = CMD_EOF; AFAICS that should probably go into ->cntl_buffer; `buffer` and `data` aren't used below that point. But that'd just be a functional bug, not security-relevant, so I'm not sure whether anyone cares.
On Thu, 2018-08-16 at 04:15 +0200, Jann Horn wrote: > On Wed, Aug 15, 2018 at 10:44 PM Ben Hutchings > <ben.hutchings@codethink.co.uk> wrote: [...] > > @@ -446,6 +446,7 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, > > retval = -EFAULT; > > goto error; > > } > > + buffer[count] = 0; > > memset(dev->cntl_buffer, CMD_PADDING, YUREX_BUF_SIZE); > > > > switch (buffer[0]) { > > By the way: A little bit below here, there's some other line that looks bogus: > > > buffer[6] = CMD_EOF; > > AFAICS that should probably go into ->cntl_buffer; `buffer` and `data` > aren't used below that point. But that'd just be a functional bug, not > security-relevant, so I'm not sure whether anyone cares. Yes I noticed that too. Since I can't test with the actual hardware, I left it alone. For all I know, the firmware actually expects CMD_PADDING and not CMD_EOF at the end of this command. Ben.
diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 3be40eaa1ac9..1232dd49556d 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -421,13 +421,13 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, { struct usb_yurex *dev; int i, set = 0, retval = 0; - char buffer[16]; + char buffer[16 + 1]; char *data = buffer; unsigned long long c, c2 = 0; signed long timeout = 0; DEFINE_WAIT(wait); - count = min(sizeof(buffer), count); + count = min(sizeof(buffer) - 1, count); dev = file->private_data; /* verify that we actually have some data to write */ @@ -446,6 +446,7 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, retval = -EFAULT; goto error; } + buffer[count] = 0; memset(dev->cntl_buffer, CMD_PADDING, YUREX_BUF_SIZE); switch (buffer[0]) {
If the written data starts with a digit, yurex_write() tries to parse it as an integer using simple_strtoull(). This requires a null- terminator, and currently there's no guarantee that there is one. (The sample program at https://github.com/NeoCat/YUREX-driver-for-Linux/blob/master/sample/yurex_clock.pl writes an integer without a null terminator. It seems like it must have worked by chance!) Always add a null byte after the written data. Enlarge the buffer to allow for this. Cc: stable@vger.kernel.org Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> --- drivers/usb/misc/yurex.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)