linux/drivers/usb
Kyungtae Kim 15753588bc USB: gadget: fix illegal array access in binding with UDC
FuzzUSB (a variant of syzkaller) found an illegal array access
using an incorrect index while binding a gadget with UDC.

Reference: https://www.spinics.net/lists/linux-usb/msg194331.html

This bug occurs when a size variable used for a buffer
is misused to access its strcpy-ed buffer.
Given a buffer along with its size variable (taken from user input),
from which, a new buffer is created using kstrdup().
Due to the original buffer containing 0 value in the middle,
the size of the kstrdup-ed buffer becomes smaller than that of the original.
So accessing the kstrdup-ed buffer with the same size variable
triggers memory access violation.

The fix makes sure no zero value in the buffer,
by comparing the strlen() of the orignal buffer with the size variable,
so that the access to the kstrdup-ed buffer is safe.

BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200
drivers/usb/gadget/configfs.c:266
Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208

CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xce/0x128 lib/dump_stack.c:118
 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:641
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266
 flush_write_buffer fs/configfs/file.c:251 [inline]
 configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283
 __vfs_write+0x85/0x110 fs/read_write.c:494
 vfs_write+0x1cd/0x510 fs/read_write.c:558
 ksys_write+0x18a/0x220 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:620
 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Signed-off-by: Kyungtae Kim <kt0755@gmail.com>
Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-15 15:42:17 +02:00
..
atm USB: atm: Use the correct style for SPDX License Identifier 2020-03-17 20:03:28 +01:00
c67x00 USB: c67x00: Use the correct style for SPDX License Identifier 2020-03-17 20:03:28 +01:00
cdns3 usb: cdns3: gadget: make a bunch of functions static 2020-05-14 12:46:10 +03:00
chipidea usb: chipidea: msm: Ensure proper controller reset using role switch API 2020-05-07 08:46:35 +02:00
class cdc-acm: introduce a cool down 2020-04-16 14:59:49 +02:00
common
core usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B 2020-05-15 15:41:13 +02:00
dwc2 usb: dwc2: convert to devm_platform_get_and_ioremap_resource 2020-03-24 12:09:39 +01:00
dwc3 usb: dwc3: select USB_ROLE_SWITCH 2020-05-09 11:05:09 +03:00
early USB: early: Handle AMD's spec-compliant identifiers, too 2020-04-16 14:46:00 +02:00
gadget USB: gadget: fix illegal array access in binding with UDC 2020-05-15 15:42:17 +02:00
host usb: host: xhci-plat: keep runtime active when removing host 2020-05-14 13:44:37 +02:00
image
isp1760 remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
misc USB: sisusbvga: Change port variable from signed to unsigned 2020-04-23 15:26:17 +02:00
mon USB: mon: Use scnprintf() for avoiding potential buffer overflow 2020-03-12 09:49:28 +01:00
mtu3 usb: mtu3: constify struct debugfs_reg32 2020-05-14 12:42:53 +03:00
musb usb: musb: tusb6010: fix a possible missing data type replacement 2020-03-17 20:03:28 +01:00
phy usb: phy: twl6030-usb: Fix a resource leak in an error handling path in 'twl6030_usb_probe()' 2020-05-09 11:05:08 +03:00
renesas_usbhs phy: for 5.6 2020-01-17 07:52:26 +01:00
roles usb: roles: Allow the role switches to be named 2020-03-04 11:12:50 +01:00
serial USB: serial: qcserial: Add DW5816e support 2020-05-04 18:23:54 +02:00
storage USB: uas: add quirk for LaCie 2Big Quadra 2020-04-30 09:28:43 +02:00
typec usb: typec: mux: intel: Fix DP_HPD_LVL bit field 2020-05-13 14:33:51 +02:00
usbip
Kconfig
Makefile
usb-skeleton.c