USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Alan Stern <stern@rowland.harvard.edu>	2019-05-13 20:14:29 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-05-21 11:08:55 +0300
commit	a03ff54460817c76105f81f3aa8ef655759ccc9a (patch)
tree	0fe93a3cb19a1ae9375fe19933ccbfe5e0e2337e /drivers/usb/mtu3
parent	a188339ca5a396acc588e5851ed7e19f66b0ebd9 (diff)
download	linux-a03ff54460817c76105f81f3aa8ef655759ccc9a.tar.xz

USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor

The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the USB core, caused by a failure to check the actual size of a BOS descriptor. This patch adds a check to make sure the descriptor is at least as large as it is supposed to be, so that the code doesn't inadvertently access memory beyond the end of the allocated region when assigning to dev->bos->desc->bNumDeviceCaps later on. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'drivers/usb/mtu3')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: