[PATCH] usb: don't trust report_size for buffer size

From: Kees Cook
Date: Mon Oct 11 2010 - 14:28:39 EST

Next message: Takashi Iwai: "Re: [PATCH 3/3] Input: synaptics - remove touches over button click area"
Previous message: Linus Torvalds: "Re: stable cc's in linux -next was Re: [BUG] x86: bootmem broken onSGI UV"
Next in thread: Németh Márton: "Re: [PATCH] usb: don't trust report_size for buffer size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If the iowarrior devices in this case statement support more than 8 bytes
per report, it is possible to write past the end of a kernel heap allocation.
This will probably never be possible, but change the allocation to be more
defensive anyway.

Signed-off-by: Kees Cook <kees.cook@xxxxxxxxxxxxx>
---
drivers/usb/misc/iowarrior.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index bc88c79..8ed8d05 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
case USB_DEVICE_ID_CODEMERCS_IOWPV2:
case USB_DEVICE_ID_CODEMERCS_IOW40:
/* IOW24 and IOW40 use a synchronous call */
- buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
+ buf = kmalloc(count, GFP_KERNEL);
if (!buf) {
retval = -ENOMEM;
goto exit;
--
1.7.1

--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Takashi Iwai: "Re: [PATCH 3/3] Input: synaptics - remove touches over button click area"
Previous message: Linus Torvalds: "Re: stable cc's in linux -next was Re: [BUG] x86: bootmem broken onSGI UV"
Next in thread: Németh Márton: "Re: [PATCH] usb: don't trust report_size for buffer size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]