From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
Alan Stern <stern@rowland.harvard.edu>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-usb@vger.kernel.org, usb-storage@lists.one-eyed-alien.net
Subject: [PATCH AUTOSEL 5.15 34/50] USB: ene_usb6250: Allocate enough memory for full object
Date: Fri, 3 Mar 2023 16:45:15 -0500 [thread overview]
Message-ID: <20230303214531.1450154-34-sashal@kernel.org> (raw)
In-Reply-To: <20230303214531.1450154-1-sashal@kernel.org>
From: Kees Cook <keescook@chromium.org>
[ Upstream commit ce33e64c1788912976b61314b56935abd4bc97ef ]
The allocation of PageBuffer is 512 bytes in size, but the dereferencing
of struct ms_bootblock_idi (also size 512) happens at a calculated offset
within the allocation, which means the object could potentially extend
beyond the end of the allocation. Avoid this case by just allocating
enough space to catch any accesses beyond the end. Seen with GCC 13:
../drivers/usb/storage/ene_ub6250.c: In function 'ms_lib_process_bootblock':
../drivers/usb/storage/ene_ub6250.c:1050:44: warning: array subscript 'struct ms_bootblock_idi[0]' is partly outside array bounds of 'unsigned char[512]' [-Warray-bounds=]
1050 | if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
| ^~
../include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu'
37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
| ^
../drivers/usb/storage/ene_ub6250.c:1050:29: note: in expansion of macro 'le16_to_cpu'
1050 | if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
| ^~~~~~~~~~~
In file included from ../drivers/usb/storage/ene_ub6250.c:5:
In function 'kmalloc',
inlined from 'ms_lib_process_bootblock' at ../drivers/usb/storage/ene_ub6250.c:942:15:
../include/linux/slab.h:580:24: note: at offset [256, 512] into object of size 512 allocated by 'kmalloc_trace'
580 | return kmalloc_trace(
| ^~~~~~~~~~~~~~
581 | kmalloc_caches[kmalloc_type(flags)][index],
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
582 | flags, size);
| ~~~~~~~~~~~~
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20230204183546.never.849-kees@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/storage/ene_ub6250.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/storage/ene_ub6250.c b/drivers/usb/storage/ene_ub6250.c
index 6012603f3630e..97c66c0d91f4d 100644
--- a/drivers/usb/storage/ene_ub6250.c
+++ b/drivers/usb/storage/ene_ub6250.c
@@ -939,7 +939,7 @@ static int ms_lib_process_bootblock(struct us_data *us, u16 PhyBlock, u8 *PageDa
struct ms_lib_type_extdat ExtraData;
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
- PageBuffer = kmalloc(MS_BYTES_PER_PAGE, GFP_KERNEL);
+ PageBuffer = kzalloc(MS_BYTES_PER_PAGE * 2, GFP_KERNEL);
if (PageBuffer == NULL)
return (u32)-1;
--
2.39.2
next prev parent reply other threads:[~2023-03-03 22:36 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-03 21:44 [PATCH AUTOSEL 5.15 01/50] IB/hfi1: Update RMT size calculation Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 02/50] iommu/amd: Fix error handling for pdev_pri_ats_enable() Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 03/50] media: uvcvideo: Remove format descriptions Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 04/50] media: uvcvideo: Handle cameras with invalid descriptors Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 05/50] media: uvcvideo: Handle errors from calls to usb_string Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 06/50] media: uvcvideo: Quirk for autosuspend in Logitech B910 and C910 Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 07/50] media: uvcvideo: Silence memcpy() run-time false positive warnings Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 08/50] USB: fix memory leak with using debugfs_lookup() Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 09/50] staging: emxx_udc: Add checks for dma_alloc_coherent() Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 10/50] tty: fix out-of-bounds access in tty_driver_lookup_tty() Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 11/50] tty: serial: fsl_lpuart: disable the CTS when send break signal Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 12/50] serial: sc16is7xx: setup GPIO controller later in probe Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 13/50] mei: bus-fixup:upon error print return values of send and receive Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 14/50] parport_pc: Set up mode and ECR masks for Oxford Semiconductor devices Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 15/50] tools/iio/iio_utils:fix memory leak Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 16/50] iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word() Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 17/50] iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word() Sasha Levin
2023-03-03 21:44 ` [PATCH AUTOSEL 5.15 18/50] firmware: coreboot: framebuffer: Ignore reserved pixel color bits Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 19/50] soundwire: bus_type: Avoid lockdep assert in sdw_drv_probe() Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 20/50] PCI: loongson: Prevent LS7A MRRS increases Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 21/50] USB: dwc3: fix memory leak with using debugfs_lookup() Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 22/50] USB: chipidea: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 23/50] USB: uhci: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 24/50] USB: sl811: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 25/50] USB: fotg210: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 26/50] USB: isp116x: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 27/50] USB: isp1362: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 28/50] USB: gadget: gr_udc: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 29/50] USB: gadget: bcm63xx_udc: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 30/50] USB: gadget: lpc32xx_udc: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 31/50] USB: gadget: pxa25x_udc: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 32/50] USB: gadget: pxa27x_udc: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 33/50] usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math Sasha Levin
2023-03-03 21:45 ` Sasha Levin [this message]
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 35/50] usb: uvc: Enumerate valid values for color matching Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 36/50] usb: gadget: uvc: Make bSourceID read/write Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 37/50] PCI: Align extra resources for hotplug bridges properly Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 38/50] PCI: Take other bus devices into account when distributing resources Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 39/50] tty: pcn_uart: fix memory leak with using debugfs_lookup() Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 40/50] misc: vmw_balloon: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 41/50] drivers: base: component: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 42/50] drivers: base: dd: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 43/50] kernel/time/test_udelay.c: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 44/50] kernel/power/energy_model.c: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 45/50] kernel/fail_function: " Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 46/50] PCI: loongson: Add more devices that need MRRS quirk Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 47/50] PCI: Add ACS quirk for Wangxun NICs Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 48/50] phy: rockchip-typec: Fix unsigned comparison with less than zero Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 49/50] soundwire: cadence: Remove wasted space in response_buf Sasha Levin
2023-03-03 21:45 ` [PATCH AUTOSEL 5.15 50/50] soundwire: cadence: Drain the RX FIFO after an IO timeout Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230303214531.1450154-34-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=usb-storage@lists.one-eyed-alien.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).