From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Henry Tian <tianxiaofeng@bytedance.com>,
Lei YU <yulei.sh@bytedance.com>,
Neal Liu <neal_liu@aspeedtech.com>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
joel@jms.id.au, jakobkoschel@gmail.com,
linux-usb@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-aspeed@lists.ozlabs.org
Subject: [PATCH AUTOSEL 6.1 11/26] usb: gadget: aspeed: fix buffer overflow
Date: Fri, 23 Dec 2022 20:29:15 -0500 [thread overview]
Message-ID: <20221224012930.392358-11-sashal@kernel.org> (raw)
In-Reply-To: <20221224012930.392358-1-sashal@kernel.org>
From: Henry Tian <tianxiaofeng@bytedance.com>
[ Upstream commit 83045e19feae937c425248824d1dc0fc95583842 ]
In ast_vhub_epn_handle_ack() when the received data length exceeds the
buffer, it does not check the case and just copies to req.buf and cause
a buffer overflow, kernel oops on this case.
This issue could be reproduced on a BMC with an OS that enables the
lan over USB:
1. In OS, enable the usb eth dev, verify it pings the BMC OK;
2. In OS, set the usb dev mtu to 2000. (Default is 1500);
3. In OS, ping the BMC with `-s 2000` argument.
The BMC kernel will get oops with below logs:
skbuff: skb_over_panic: text:8058e098 len:2048 put:2048 head:84c678a0 data:84c678c2 tail:0x84c680c2 end:0x84c67f00 dev:usb0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
Internal error: Oops - BUG: 0 [#1] ARM
CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.69-c9fb275-dirty-d1e579a #1
Hardware name: Generic DT based system
PC is at skb_panic+0x60/0x6c
LR is at irq_work_queue+0x6c/0x94
Fix the issue by checking the length and set `-EOVERFLOW`.
Tested: Verify the BMC kernel does not get oops in the above case, and
the usb ethernet gets RX packets errors instead.
Signed-off-by: Lei YU <yulei.sh@bytedance.com>
Signed-off-by: Henry Tian <tianxiaofeng@bytedance.com>
Reviewed-by: Neal Liu <neal_liu@aspeedtech.com>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Link: https://lore.kernel.org/r/20221024094853.2877441-1-yulei.sh@bytedance.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/udc/aspeed-vhub/core.c | 2 +-
drivers/usb/gadget/udc/aspeed-vhub/epn.c | 16 ++++++++++++----
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/gadget/udc/aspeed-vhub/core.c b/drivers/usb/gadget/udc/aspeed-vhub/core.c
index 7a635c499777..ac3ca24f8b04 100644
--- a/drivers/usb/gadget/udc/aspeed-vhub/core.c
+++ b/drivers/usb/gadget/udc/aspeed-vhub/core.c
@@ -37,7 +37,7 @@ void ast_vhub_done(struct ast_vhub_ep *ep, struct ast_vhub_req *req,
list_del_init(&req->queue);
- if (req->req.status == -EINPROGRESS)
+ if ((req->req.status == -EINPROGRESS) || (status == -EOVERFLOW))
req->req.status = status;
if (req->req.dma) {
diff --git a/drivers/usb/gadget/udc/aspeed-vhub/epn.c b/drivers/usb/gadget/udc/aspeed-vhub/epn.c
index b5252880b389..56e55472daa1 100644
--- a/drivers/usb/gadget/udc/aspeed-vhub/epn.c
+++ b/drivers/usb/gadget/udc/aspeed-vhub/epn.c
@@ -84,6 +84,7 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep)
{
struct ast_vhub_req *req;
unsigned int len;
+ int status = 0;
u32 stat;
/* Read EP status */
@@ -119,9 +120,15 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep)
len = VHUB_EP_DMA_TX_SIZE(stat);
/* If not using DMA, copy data out if needed */
- if (!req->req.dma && !ep->epn.is_in && len)
- memcpy(req->req.buf + req->req.actual, ep->buf, len);
-
+ if (!req->req.dma && !ep->epn.is_in && len) {
+ if (req->req.actual + len > req->req.length) {
+ req->last_desc = 1;
+ status = -EOVERFLOW;
+ goto done;
+ } else {
+ memcpy(req->req.buf + req->req.actual, ep->buf, len);
+ }
+ }
/* Adjust size */
req->req.actual += len;
@@ -129,9 +136,10 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep)
if (len < ep->ep.maxpacket)
req->last_desc = 1;
+done:
/* That's it ? complete the request and pick a new one */
if (req->last_desc >= 0) {
- ast_vhub_done(ep, req, 0);
+ ast_vhub_done(ep, req, status);
req = list_first_entry_or_null(&ep->queue, struct ast_vhub_req,
queue);
--
2.35.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Henry Tian <tianxiaofeng@bytedance.com>,
Lei YU <yulei.sh@bytedance.com>,
Neal Liu <neal_liu@aspeedtech.com>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
joel@jms.id.au, jakobkoschel@gmail.com,
linux-usb@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-aspeed@lists.ozlabs.org
Subject: [PATCH AUTOSEL 6.1 11/26] usb: gadget: aspeed: fix buffer overflow
Date: Fri, 23 Dec 2022 20:29:15 -0500 [thread overview]
Message-ID: <20221224012930.392358-11-sashal@kernel.org> (raw)
In-Reply-To: <20221224012930.392358-1-sashal@kernel.org>
From: Henry Tian <tianxiaofeng@bytedance.com>
[ Upstream commit 83045e19feae937c425248824d1dc0fc95583842 ]
In ast_vhub_epn_handle_ack() when the received data length exceeds the
buffer, it does not check the case and just copies to req.buf and cause
a buffer overflow, kernel oops on this case.
This issue could be reproduced on a BMC with an OS that enables the
lan over USB:
1. In OS, enable the usb eth dev, verify it pings the BMC OK;
2. In OS, set the usb dev mtu to 2000. (Default is 1500);
3. In OS, ping the BMC with `-s 2000` argument.
The BMC kernel will get oops with below logs:
skbuff: skb_over_panic: text:8058e098 len:2048 put:2048 head:84c678a0 data:84c678c2 tail:0x84c680c2 end:0x84c67f00 dev:usb0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
Internal error: Oops - BUG: 0 [#1] ARM
CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.69-c9fb275-dirty-d1e579a #1
Hardware name: Generic DT based system
PC is at skb_panic+0x60/0x6c
LR is at irq_work_queue+0x6c/0x94
Fix the issue by checking the length and set `-EOVERFLOW`.
Tested: Verify the BMC kernel does not get oops in the above case, and
the usb ethernet gets RX packets errors instead.
Signed-off-by: Lei YU <yulei.sh@bytedance.com>
Signed-off-by: Henry Tian <tianxiaofeng@bytedance.com>
Reviewed-by: Neal Liu <neal_liu@aspeedtech.com>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Link: https://lore.kernel.org/r/20221024094853.2877441-1-yulei.sh@bytedance.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/udc/aspeed-vhub/core.c | 2 +-
drivers/usb/gadget/udc/aspeed-vhub/epn.c | 16 ++++++++++++----
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/gadget/udc/aspeed-vhub/core.c b/drivers/usb/gadget/udc/aspeed-vhub/core.c
index 7a635c499777..ac3ca24f8b04 100644
--- a/drivers/usb/gadget/udc/aspeed-vhub/core.c
+++ b/drivers/usb/gadget/udc/aspeed-vhub/core.c
@@ -37,7 +37,7 @@ void ast_vhub_done(struct ast_vhub_ep *ep, struct ast_vhub_req *req,
list_del_init(&req->queue);
- if (req->req.status == -EINPROGRESS)
+ if ((req->req.status == -EINPROGRESS) || (status == -EOVERFLOW))
req->req.status = status;
if (req->req.dma) {
diff --git a/drivers/usb/gadget/udc/aspeed-vhub/epn.c b/drivers/usb/gadget/udc/aspeed-vhub/epn.c
index b5252880b389..56e55472daa1 100644
--- a/drivers/usb/gadget/udc/aspeed-vhub/epn.c
+++ b/drivers/usb/gadget/udc/aspeed-vhub/epn.c
@@ -84,6 +84,7 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep)
{
struct ast_vhub_req *req;
unsigned int len;
+ int status = 0;
u32 stat;
/* Read EP status */
@@ -119,9 +120,15 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep)
len = VHUB_EP_DMA_TX_SIZE(stat);
/* If not using DMA, copy data out if needed */
- if (!req->req.dma && !ep->epn.is_in && len)
- memcpy(req->req.buf + req->req.actual, ep->buf, len);
-
+ if (!req->req.dma && !ep->epn.is_in && len) {
+ if (req->req.actual + len > req->req.length) {
+ req->last_desc = 1;
+ status = -EOVERFLOW;
+ goto done;
+ } else {
+ memcpy(req->req.buf + req->req.actual, ep->buf, len);
+ }
+ }
/* Adjust size */
req->req.actual += len;
@@ -129,9 +136,10 @@ static void ast_vhub_epn_handle_ack(struct ast_vhub_ep *ep)
if (len < ep->ep.maxpacket)
req->last_desc = 1;
+done:
/* That's it ? complete the request and pick a new one */
if (req->last_desc >= 0) {
- ast_vhub_done(ep, req, 0);
+ ast_vhub_done(ep, req, status);
req = list_first_entry_or_null(&ep->queue, struct ast_vhub_req,
queue);
--
2.35.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-12-24 1:31 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-24 1:29 [PATCH AUTOSEL 6.1 01/26] gpiolib: of: add a quirk for legacy names in Mediatek mt2701-cs42448 Sasha Levin
2022-12-24 1:29 ` Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 02/26] gpiolib: of: consolidate simple renames into a single quirk Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 03/26] gpiolib: of: tighten selection of gpio renaming quirks Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 04/26] gpiolib: of: add quirk for locating reset lines with legacy bindings Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 05/26] gpiolib: of: add a quirk for reset line for Marvell NFC controller Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 06/26] gpiolib: of: add a quirk for reset line for Cirrus CS42L56 codec Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 07/26] gpiolib: of: add a quirk for legacy names in MOXA ART RTC Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 08/26] kset: fix memory leak when kset_register() returns error Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 09/26] USB: core: Change configuration warnings to notices Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 10/26] usb: core: stop USB enumeration if too many retries Sasha Levin
2022-12-24 1:29 ` Sasha Levin [this message]
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 11/26] usb: gadget: aspeed: fix buffer overflow Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 12/26] usb: gadget: u_ether: Do not make UDC parent of the net device Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 13/26] usb: gadget: f_ecm: Always set current gadget in ecm_bind() Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 14/26] devres: Use kmalloc_size_roundup() to match ksize() usage Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 15/26] chardev: Fix potential memory leak when cdev_add() failed Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 16/26] usb/usbip: Fix v_recv_cmd_submit() to use PIPE_BULK define Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 17/26] char: xillybus: Prevent use-after-free due to race condition Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 18/26] habanalabs: zero ts registration buff when allocated Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 19/26] char: xillybus: Fix trivial bug with mutex Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 20/26] iio: filter: admv8818: close potential out-of-bounds read in __admv8818_read_[h|l]pf_freq() Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 21/26] xhci: disable U3 suspended ports in S4 hibernate poweroff_late stage Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 22/26] ACPICA: Fix operand resolution Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 23/26] ksmbd: Fix resource leak in smb2_lock() Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 24/26] writeback: Add asserts for adding freed inode to lists Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 25/26] exfat: fix overflow in sector and cluster conversion Sasha Levin
2022-12-24 1:29 ` [PATCH AUTOSEL 6.1 26/26] fbdev: smscufx: fix error handling code in ufx_usb_probe Sasha Levin
2022-12-24 1:29 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221224012930.392358-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=benh@kernel.crashing.org \
--cc=gregkh@linuxfoundation.org \
--cc=jakobkoschel@gmail.com \
--cc=joel@jms.id.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-aspeed@lists.ozlabs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=neal_liu@aspeedtech.com \
--cc=stable@vger.kernel.org \
--cc=tianxiaofeng@bytedance.com \
--cc=yulei.sh@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.