Re: KASAN: slab-out-of-bounds Read in gadget_dev_desc_UDC_store

From: Greg KH
Date: Fri May 01 2020 - 03:05:44 EST

Next message: Will Deacon: "Re: [PATCH] drivers/iommu: properly export iommu_group_get_for_dev"
Previous message: Greg KH: "Re: [PATCH] usb: usbfs: correct kernel->user page attribute mismatch"
Next in thread: Kyungtae Kim: "Re: KASAN: slab-out-of-bounds Read in gadget_dev_desc_UDC_store"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 30, 2020 at 11:03:54PM -0400, Kyungtae Kim wrote:
> We report a bug (in linux-5.6.8) found by FuzzUSB (a modified version
> of syzkaller).
>
> This happened when the size of "name" buffer is smaller than that of
> "page" buffer
> (after function kstrdup executed at line 263).
> I guess it comes from the "page" buffer containing 0 value in the middle.
> So accessing the "name" buffer with "len" variable, which is used to
> indicate the size of "page" buffer,
> triggered memory access violation.
> To fix, it may need to check the size of name buffer, and try to use
> right index variable.

Can you submit a patch for this as you have a reproducer to test the
issue?

thanks,

greg k-h

Next message: Will Deacon: "Re: [PATCH] drivers/iommu: properly export iommu_group_get_for_dev"
Previous message: Greg KH: "Re: [PATCH] usb: usbfs: correct kernel->user page attribute mismatch"
Next in thread: Kyungtae Kim: "Re: KASAN: slab-out-of-bounds Read in gadget_dev_desc_UDC_store"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]