From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752297AbdCOJ1k (ORCPT ); Wed, 15 Mar 2017 05:27:40 -0400 Received: from mx2.suse.de ([195.135.220.15]:58094 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750836AbdCOJ1i (ORCPT ); Wed, 15 Mar 2017 05:27:38 -0400 Message-ID: <1489570009.30434.7.camel@suse.com> Subject: Re: [PATCH 2/4] cdc-acm: fix possible invalid access when processing notification From: Oliver Neukum To: Tobias Herzog Cc: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org Date: Wed, 15 Mar 2017 10:26:49 +0100 In-Reply-To: <1489522489-6233-2-git-send-email-t-herzog@gmx.de> References: <1479118868.21146.4.camel@suse.com> <1489522489-6233-1-git-send-email-t-herzog@gmx.de> <1489522489-6233-2-git-send-email-t-herzog@gmx.de> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Dienstag, den 14.03.2017, 21:14 +0100 schrieb Tobias Herzog: > Notifications may only be 8 bytes so long. Accessing the 9th and > 10th byte of unimplemented/unknown notifications may be insecure. > Also check the length of known notifications before accessing anything > behind the 8th byte. > > Signed-off-by: Tobias Herzog > --- > drivers/usb/class/cdc-acm.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c > index 40714fe..b99127e 100644 > --- a/drivers/usb/class/cdc-acm.c > +++ b/drivers/usb/class/cdc-acm.c > @@ -296,6 +296,12 @@ static void acm_process_notification(struct acm *acm, unsigned char *buf) > break; > > case USB_CDC_NOTIFY_SERIAL_STATE: > + if (dr->wLength != 2) { Endianness > + dev_dbg(&acm->control->dev, > + "%s - malformed serial state\n", __func__); > + break; > + } > + > newctrl = get_unaligned_le16(data); > > if (!acm->clocal && (acm->ctrlin & ~newctrl & ACM_CTRL_DCD)) { > @@ -332,11 +338,10 @@ static void acm_process_notification(struct acm *acm, unsigned char *buf) > > default: > dev_dbg(&acm->control->dev, > - "%s - unknown notification %d received: index %d " > - "len %d data0 %d data1 %d\n", > + "%s - unknown notification %d received: index %d len %d\n", > __func__, > dr->bNotificationType, dr->wIndex, > - dr->wLength, data[0], data[1]); > + dr->wLength); > } > } >