Re: BUG: bad usercopy in ld_usb_read

From: Kees Cook
Date: Sat Aug 10 2019 - 14:23:26 EST


On Fri, Aug 09, 2019 at 11:13:00AM -0400, Alan Stern wrote:
> In fact, I don't see why any of the computations here should overflow
> or wrap around, or even give rise to a negative value. If syzbot had a
> reproducer we could get more debugging output -- but it doesn't.

Yeah, this is odd. The only thing I could see here with more study was
that ring_tail is used/updated outside of the rbsl lock in
ld_usb_read(). I couldn't convince myself there wasn't a race against
the interrupt, but I also couldn't think of a way it could break...

--
Kees Cook