From: Sudip Mukherjee sudipm.mukherjee@gmail.com
The port number is checked and it just prints an error message but it still continues to use the invalid port. And as a result it accesses memory which is not its resulting in BUG report from KASAN.
Reported-by: syzbot+600b03e0cf1b73bb23c4@syzkaller.appspotmail.com Cc: stable stable@vger.kernel.org Signed-off-by: Sudip Mukherjee sudipm.mukherjee@gmail.com --- drivers/usb/usbip/vhci_hcd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index d11f3f8dad40..71883aa788ac 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -334,8 +334,10 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, usbip_dbg_vhci_rh("typeReq %x wValue %x wIndex %x\n", typeReq, wValue, wIndex);
- if (wIndex > VHCI_HC_PORTS) + if (wIndex > VHCI_HC_PORTS) { pr_err("invalid port number %d\n", wIndex); + return -ENODEV; + } rhport = wIndex - 1;
vhci_hcd = hcd_to_vhci_hcd(hcd);
Hi Sudip,
On 10/08/2018 01:19 PM, Sudip Mukherjee wrote:
From: Sudip Mukherjee sudipm.mukherjee@gmail.com
The port number is checked and it just prints an error message but it still continues to use the invalid port. And as a result it accesses memory which is not its resulting in BUG report from KASAN.
Yes there is an issue with out of bounds access. But this isn't the right fix.
Reported-by: syzbot+600b03e0cf1b73bb23c4@syzkaller.appspotmail.com Cc: stable stable@vger.kernel.org Signed-off-by: Sudip Mukherjee sudipm.mukherjee@gmail.com
I sent in a fix for this last Friday.
https://patchwork.kernel.org/patch/10628833/
thanks, -- Shuah
On Mon, Oct 8, 2018 at 8:29 PM Shuah Khan shuah@kernel.org wrote:
Hi Sudip,
On 10/08/2018 01:19 PM, Sudip Mukherjee wrote:
From: Sudip Mukherjee sudipm.mukherjee@gmail.com
The port number is checked and it just prints an error message but it still continues to use the invalid port. And as a result it accesses memory which is not its resulting in BUG report from KASAN.
Yes there is an issue with out of bounds access. But this isn't the right fix.
Reported-by: syzbot+600b03e0cf1b73bb23c4@syzkaller.appspotmail.com Cc: stable stable@vger.kernel.org Signed-off-by: Sudip Mukherjee sudipm.mukherjee@gmail.com
I sent in a fix for this last Friday.
And I can confirm this patch also fixes the issue tested with the reproducer I was using in my vm.
On 10/08/2018 02:01 PM, Sudip Mukherjee wrote:
On Mon, Oct 8, 2018 at 8:29 PM Shuah Khan shuah@kernel.org wrote:
Hi Sudip,
On 10/08/2018 01:19 PM, Sudip Mukherjee wrote:
From: Sudip Mukherjee sudipm.mukherjee@gmail.com
The port number is checked and it just prints an error message but it still continues to use the invalid port. And as a result it accesses memory which is not its resulting in BUG report from KASAN.
Yes there is an issue with out of bounds access. But this isn't the right fix.
Reported-by: syzbot+600b03e0cf1b73bb23c4@syzkaller.appspotmail.com Cc: stable stable@vger.kernel.org Signed-off-by: Sudip Mukherjee sudipm.mukherjee@gmail.com
I sent in a fix for this last Friday.
And I can confirm this patch also fixes the issue tested with the reproducer I was using in my vm.
Great Thanks for testing the patch.
thanks, -- Shuah
linux-stable-mirror@lists.linaro.org
-
Shuah Khan -
Sudip Mukherjee