Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-10-15 17:48:50 +0200
committerTakashi Iwai <tiwai@suse.de>2018-10-15 17:49:18 +0200
commitfac9285c6ecdb84279d68060c9ae649f192cb4ce (patch)
tree26c1b9412f275623c3c3273d140ed1ca0f89c6b9
parent18db61b6d78267921a8dcbe1522ab3b689c4f2b3 (diff)
USB: yurex: Check for truncation in yurex_read() (bsc#1051510).
-rw-r--r--patches.drivers/USB-yurex-Check-for-truncation-in-yurex_read.patch41
-rw-r--r--series.conf1
2 files changed, 42 insertions, 0 deletions
diff --git a/patches.drivers/USB-yurex-Check-for-truncation-in-yurex_read.patch b/patches.drivers/USB-yurex-Check-for-truncation-in-yurex_read.patch
new file mode 100644
index 0000000000..06151b097a
--- /dev/null
+++ b/patches.drivers/USB-yurex-Check-for-truncation-in-yurex_read.patch
@@ -0,0 +1,41 @@
+From 14427b86837a4baf1c121934c6599bdb67dfa9fc Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Wed, 15 Aug 2018 21:45:37 +0100
+Subject: [PATCH] USB: yurex: Check for truncation in yurex_read()
+Git-commit: 14427b86837a4baf1c121934c6599bdb67dfa9fc
+Patch-mainline: v4.19-rc4
+References: bsc#1051510
+
+snprintf() always returns the full length of the string it could have
+printed, even if it was truncated because the buffer was too small.
+So in case the counter value is truncated, we will over-read from
+in_buffer and over-write to the caller's buffer.
+
+I don't think it's actually possible for this to happen, but in case
+truncation occurs, WARN and return -EIO.
+
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/misc/yurex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
+index 1232dd49556d..6d9fd5f64903 100644
+--- a/drivers/usb/misc/yurex.c
++++ b/drivers/usb/misc/yurex.c
+@@ -413,6 +413,9 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
+ spin_unlock_irqrestore(&dev->lock, flags);
+ mutex_unlock(&dev->io_mutex);
+
++ if (WARN_ON_ONCE(len >= sizeof(in_buffer)))
++ return -EIO;
++
+ return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
+ }
+
+--
+2.19.0
+
diff --git a/series.conf b/series.conf
index 8d605bf1f1..ed874b5911 100644
--- a/series.conf
+++ b/series.conf
@@ -17736,6 +17736,7 @@
patches.drivers/USB-add-quirk-for-WORLDE-Controller-KS49-or-Prodipe-.patch
patches.drivers/xhci-Fix-use-after-free-for-URB-cancellation-on-a-re.patch
patches.drivers/USB-yurex-Fix-buffer-over-read-in-yurex_write.patch
+ patches.drivers/USB-yurex-Check-for-truncation-in-yurex_read.patch
patches.drivers/USB-Add-quirk-to-support-DJI-CineSSD.patch
patches.drivers/usb-uas-add-support-for-more-quirk-flags.patch
patches.drivers/usb-Don-t-die-twice-if-PCI-xhci-host-is-not-respondi.patch