6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xinyu Liu 1171169449@qq.com
commit 3014168731b7930300aab656085af784edc861f6 upstream.
When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero.
This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning immediately.
Signed-off-by: Xinyu Liu katieeliu@tencent.com Cc: stable stable@kernel.org Link: https://lore.kernel.org/r/tencent_B1C9481688D0E95E7362AB2E999DE8048207@qq.co... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/usb/gadget/configfs.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/usb/gadget/configfs.c +++ b/drivers/usb/gadget/configfs.c @@ -1062,6 +1062,8 @@ static ssize_t webusb_landingPage_store( unsigned int bytes_to_strip = 0; int l = len;
+ if (!len) + return len; if (page[l - 1] == '\n') { --l; ++bytes_to_strip; @@ -1185,6 +1187,8 @@ static ssize_t os_desc_qw_sign_store(str struct gadget_info *gi = os_desc_item_to_gadget_info(item); int res, l;
+ if (!len) + return len; l = min((int)len, OS_STRING_QW_SIGN_LEN >> 1); if (page[l - 1] == '\n') --l;