Re: BUG: bad usercopy in ld_usb_read

From: Kees Cook
Date: Sat Aug 10 2019 - 14:23:26 EST

Next message: Paul E. McKenney: "Re: [PATCH RFC v1 1/2] rcu/tree: Add basic support for kfree_rcu batching"
Previous message: Michael S. Tsirkin: "Re: [PATCH v3 1/2] virtio_console: free unused buffers with port delete"
In reply to: Alan Stern: "Re: BUG: bad usercopy in ld_usb_read"
Next in thread: syzbot: "Re: BUG: bad usercopy in ld_usb_read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 09, 2019 at 11:13:00AM -0400, Alan Stern wrote:
> In fact, I don't see why any of the computations here should overflow
> or wrap around, or even give rise to a negative value. If syzbot had a
> reproducer we could get more debugging output -- but it doesn't.

Yeah, this is odd. The only thing I could see here with more study was
that ring_tail is used/updated outside of the rbsl lock in
ld_usb_read(). I couldn't convince myself there wasn't a race against
the interrupt, but I also couldn't think of a way it could break...

--
Kees Cook

Next message: Paul E. McKenney: "Re: [PATCH RFC v1 1/2] rcu/tree: Add basic support for kfree_rcu batching"
Previous message: Michael S. Tsirkin: "Re: [PATCH v3 1/2] virtio_console: free unused buffers with port delete"
In reply to: Alan Stern: "Re: BUG: bad usercopy in ld_usb_read"
Next in thread: syzbot: "Re: BUG: bad usercopy in ld_usb_read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]