[PATCH v2 0/2] USB: ldusb: fix ring-buffer bugs

From: Johan Hovold
Date: Fri Oct 18 2019 - 11:20:03 EST


Syzbot has been reporting a slab-out-of-bounds/bad user copy in ldusb
for some time now.

This turned out to due to a bug in the read() implementation, which
would have read() access the uninitialised ring buffer and leak huge
amounts of slab data on URB completion errors (e.g. disconnect).

The first patch plugs the info leaks.

The second patch fixes a couple of issues in the custom ring-buffer
implementation, which before the first patch also could have led to
info leaks.

In an attempt to avoid copying the ring-buffer entry to a temporary
buffer while holding the spinlock, I added an smp_rmb() before
copy_to_user() which I think will suffice, but I'd appreciate if you
could help me verify that. Hence the RFC on that one.

The first commit could go to Linus meanwhile.

Johan

v2
- fix buffer-entry length check in 1/2


Johan Hovold (2):
USB: ldusb: fix read info leaks
USB: ldusb: fix ring-buffer locking

drivers/usb/misc/ldusb.c | 31 ++++++++++++++++++++++---------
1 file changed, 22 insertions(+), 9 deletions(-)

--
2.23.0