From patchwork Wed Aug 15 20:45:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Hutchings X-Patchwork-Id: 10566843 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CBE7714BD for ; Wed, 15 Aug 2018 20:45:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 888602AA9B for ; Wed, 15 Aug 2018 20:45:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7BE532AC38; Wed, 15 Aug 2018 20:45:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 251622AA9B for ; Wed, 15 Aug 2018 20:45:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727694AbeHOXj0 (ORCPT ); Wed, 15 Aug 2018 19:39:26 -0400 Received: from imap1.codethink.co.uk ([176.9.8.82]:34001 "EHLO imap1.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726133AbeHOXj0 (ORCPT ); Wed, 15 Aug 2018 19:39:26 -0400 Received: from [148.252.241.226] (helo=xylophone.i.decadent.org.uk) by imap1.codethink.co.uk with esmtpsa (Exim 4.84_2 #1 (Debian)) id 1fq2fj-0004TO-Az; Wed, 15 Aug 2018 21:45:39 +0100 Date: Wed, 15 Aug 2018 21:45:37 +0100 From: Ben Hutchings To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, Jann Horn Subject: [PATCH 2/2] USB: yurex: Check for truncation in yurex_read() Message-ID: <20180815204537.45rum3f5abnuxpi7@xylophone.i.decadent.org.uk> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20180815204412.wlum4yfudln26cjq@xylophone.i.decadent.org.uk> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP snprintf() always returns the full length of the string it could have printed, even if it was truncated because the buffer was too small. So in case the counter value is truncated, we will over-read from in_buffer and over-write to the caller's buffer. I don't think it's actually possible for this to happen, but in case truncation occurs, WARN and return -EIO. Signed-off-by: Ben Hutchings --- drivers/usb/misc/yurex.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 1232dd49556d..6d9fd5f64903 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -413,6 +413,9 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, spin_unlock_irqrestore(&dev->lock, flags); mutex_unlock(&dev->io_mutex); + if (WARN_ON_ONCE(len >= sizeof(in_buffer))) + return -EIO; + return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); }