From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johan Hovold <johan@kernel.org>,
Ian Abbott <abbotti@mev.co.uk>
Subject: [PATCH 5.14 19/24] comedi: vmk80xx: fix bulk-buffer overflow
Date: Wed, 10 Nov 2021 19:44:11 +0100 [thread overview]
Message-ID: <20211110182003.949840798@linuxfoundation.org> (raw)
In-Reply-To: <20211110182003.342919058@linuxfoundation.org>
From: Johan Hovold <johan@kernel.org>
commit 78cdfd62bd54af615fba9e3ca1ba35de39d3871d upstream.
The driver is using endpoint-sized buffers but must not assume that the
tx and rx buffers are of equal size or a malicious device could overflow
the slab-allocated receive buffer when doing bulk transfers.
Fixes: 985cafccbf9b ("Staging: Comedi: vmk80xx: Add k8061 support")
Cc: stable@vger.kernel.org # 2.6.31
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20211025114532.4599-5-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/vmk80xx.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
--- a/drivers/comedi/drivers/vmk80xx.c
+++ b/drivers/comedi/drivers/vmk80xx.c
@@ -159,22 +159,20 @@ static void vmk80xx_do_bulk_msg(struct c
__u8 rx_addr;
unsigned int tx_pipe;
unsigned int rx_pipe;
- size_t size;
+ size_t tx_size;
+ size_t rx_size;
tx_addr = devpriv->ep_tx->bEndpointAddress;
rx_addr = devpriv->ep_rx->bEndpointAddress;
tx_pipe = usb_sndbulkpipe(usb, tx_addr);
rx_pipe = usb_rcvbulkpipe(usb, rx_addr);
-
- /*
- * The max packet size attributes of the K8061
- * input/output endpoints are identical
- */
- size = usb_endpoint_maxp(devpriv->ep_tx);
+ tx_size = usb_endpoint_maxp(devpriv->ep_tx);
+ rx_size = usb_endpoint_maxp(devpriv->ep_rx);
usb_bulk_msg(usb, tx_pipe, devpriv->usb_tx_buf,
- size, NULL, devpriv->ep_tx->bInterval);
- usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, size, NULL, HZ * 10);
+ tx_size, NULL, devpriv->ep_tx->bInterval);
+
+ usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, rx_size, NULL, HZ * 10);
}
static int vmk80xx_read_packet(struct comedi_device *dev)
next prev parent reply other threads:[~2021-11-10 18:56 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-10 18:43 [PATCH 5.14 00/24] 5.14.18-rc1 review Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 5.14 01/24] ALSA: pcm: Check mmap capability of runtime dma buffer at first Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 5.14 02/24] ALSA: pci: cs46xx: Fix set up buffer type properly Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 5.14 03/24] KVM: x86: avoid warning with -Wbitwise-instead-of-logical Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 5.14 04/24] Revert "x86/kvm: fix vcpu-id indexed array sizes" Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 5.14 05/24] usb: ehci: handshake CMD_RUN instead of STS_HALT Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 5.14 06/24] usb: gadget: Mark USB_FSL_QE broken on 64-bit Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 5.14 07/24] usb: musb: Balance list entry in musb_gadget_queue Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 08/24] usb-storage: Add compatibility quirk flags for iODD 2531/2541 Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 09/24] Revert "proc/wchan: use printk format instead of lookup_symbol_name()" Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 10/24] binder: use euid from cred instead of using task Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 11/24] binder: use cred instead of task for selinux checks Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 12/24] binder: use cred instead of task for getsecid Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 13/24] binder: dont detect sender/target during buffer cleanup Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 14/24] staging: rtl8712: fix use-after-free in rtl8712_dl_fw Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 15/24] isofs: Fix out of bound access for corrupted isofs image Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 16/24] comedi: dt9812: fix DMA buffers on stack Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 17/24] comedi: ni_usb6501: fix NULL-deref in command paths Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 18/24] comedi: vmk80xx: fix transfer-buffer overflows Greg Kroah-Hartman
2021-11-10 18:44 ` Greg Kroah-Hartman [this message]
2021-11-10 18:44 ` [PATCH 5.14 20/24] comedi: vmk80xx: fix bulk and interrupt message timeouts Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 21/24] staging: r8712u: fix control-message timeout Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 22/24] staging: rtl8192u: fix control-message timeouts Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 23/24] media: staging/intel-ipu3: css: Fix wrong size comparison imgu_css_fw_init Greg Kroah-Hartman
2021-11-10 18:44 ` [PATCH 5.14 24/24] rsi: fix control-message timeout Greg Kroah-Hartman
2021-11-10 23:09 ` [PATCH 5.14 00/24] 5.14.18-rc1 review Florian Fainelli
2021-11-11 10:06 ` Naresh Kamboju
2021-11-11 14:30 ` Fox Chen
2021-11-11 16:28 ` Shuah Khan
2021-11-12 1:16 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211110182003.949840798@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=abbotti@mev.co.uk \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).