Re: [PATCH 4/5] comedi: vmk80xx: fix bulk-buffer overflow

From: Ian Abbott
Date: Tue Oct 26 2021 - 10:34:35 EST

Next message: Lai Jiangshan: "[PATCH V4 26/50] x86/entry: Convert SWAPGS to swapgs in entry_SYSENTER_compat()"
Previous message: Andrea Righi: "[PATCH] selftests/bpf: fix fclose/pclose mismatch"
In reply to: Johan Hovold: "[PATCH 4/5] comedi: vmk80xx: fix bulk-buffer overflow"
Next in thread: Johan Hovold: "[PATCH 2/5] comedi: dt9812: fix DMA buffers on stack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 25/10/2021 12:45, Johan Hovold wrote:

The driver is using endpoint-sized buffers but must not assume that the
tx and rx buffers are of equal size or a malicious device could overflow
the slab-allocated receive buffer when doing bulk transfers.

Fixes: 985cafccbf9b ("Staging: Comedi: vmk80xx: Add k8061 support")
Cc: stable@xxxxxxxxxxxxxxx # 2.6.31
Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
---
drivers/comedi/drivers/vmk80xx.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/drivers/comedi/drivers/vmk80xx.c b/drivers/comedi/drivers/vmk80xx.c
index f2c1572d0cd7..9c56918e3b76 100644
--- a/drivers/comedi/drivers/vmk80xx.c
+++ b/drivers/comedi/drivers/vmk80xx.c
@@ -159,22 +159,20 @@ static void vmk80xx_do_bulk_msg(struct comedi_device *dev)
__u8 rx_addr;
unsigned int tx_pipe;
unsigned int rx_pipe;
- size_t size;
+ size_t tx_size;
+ size_t rx_size;
tx_addr = devpriv->ep_tx->bEndpointAddress;
rx_addr = devpriv->ep_rx->bEndpointAddress;
tx_pipe = usb_sndbulkpipe(usb, tx_addr);
rx_pipe = usb_rcvbulkpipe(usb, rx_addr);
-
- /*
- * The max packet size attributes of the K8061
- * input/output endpoints are identical
- */
- size = usb_endpoint_maxp(devpriv->ep_tx);
+ tx_size = usb_endpoint_maxp(devpriv->ep_tx);
+ rx_size = usb_endpoint_maxp(devpriv->ep_rx);
usb_bulk_msg(usb, tx_pipe, devpriv->usb_tx_buf,
- size, NULL, devpriv->ep_tx->bInterval);
- usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, size, NULL, HZ * 10);
+ tx_size, NULL, devpriv->ep_tx->bInterval);
+
+ usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, rx_size, NULL, HZ * 10);
}
static int vmk80xx_read_packet(struct comedi_device *dev)

Looks good, thanks!

Reviewed-by: Ian Abbott <abbotti@xxxxxxxxx>

--
-=( Ian Abbott <abbotti@xxxxxxxxx> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-

Next message: Lai Jiangshan: "[PATCH V4 26/50] x86/entry: Convert SWAPGS to swapgs in entry_SYSENTER_compat()"
Previous message: Andrea Righi: "[PATCH] selftests/bpf: fix fclose/pclose mismatch"
In reply to: Johan Hovold: "[PATCH 4/5] comedi: vmk80xx: fix bulk-buffer overflow"
Next in thread: Johan Hovold: "[PATCH 2/5] comedi: dt9812: fix DMA buffers on stack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]