Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

From: Greg Kroah-Hartman
Date: Thu Sep 21 2017 - 03:31:51 EST


On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote:
> Hi!
>
> I've got the following crash while fuzzing the kernel with syzkaller.
>
> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
>
> It looks like cdc_parse_cdc_header() doesn't validate buflen before
> accessing buffer[1], buffer[2] and so on. The only check present is
> while (buflen > 0).

Ugh, you are right, let me go work on a patch, thanks for the report...