Re:Re: [PATCH] USB: add usbfs ioctl to get specific superspeedplus rates

From: Dingyan Li
Date: Wed Jul 26 2023 - 05:38:35 EST

Next message: Oliver Neukum: "Re: [PATCH] USB: add usbfs ioctl to get specific superspeedplus rates"
Previous message: Takahiro Kuwano: "Re: [PATCH v4 09/11] mtd: spi-nor: spansion: let SFDP determine the flash and sector size"
In reply to: Oliver Neukum: "Re: [PATCH] USB: add usbfs ioctl to get specific superspeedplus rates"
Next in thread: Oliver Neukum: "Re: [PATCH] USB: add usbfs ioctl to get specific superspeedplus rates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 2023-07-26 16:33:22, "Oliver Neukum" <oneukum@xxxxxxxx> wrote:
>On 25.07.23 18:11, Dingyan Li wrote:
>
>> In proc_conninfo_ex(), the number of returned bytes is determined by
>> the smaller number between sizeof(struct usbdevfs_conninfo_ex) and a
>> user specified size. So if we only append new members to the end of
>> struct usbdevfs_conninfo_ex, it won't impact the bytes in the beginning.
>
>You have just caused memory corruption in user space by overwriting what
>was right behind the buffer of the agreed upon size. Or, not much better,
>caused a segmentation fault.
>
> Regards
> Oliver

How come?

The actual returned bytes must be smaller than or equal to user specified size.
You can check https://elixir.bootlin.com/linux/v6.5-rc3/source/drivers/usb/core/devio.c#L1493

Regards,
Dingyan

Next message: Oliver Neukum: "Re: [PATCH] USB: add usbfs ioctl to get specific superspeedplus rates"
Previous message: Takahiro Kuwano: "Re: [PATCH v4 09/11] mtd: spi-nor: spansion: let SFDP determine the flash and sector size"
In reply to: Oliver Neukum: "Re: [PATCH] USB: add usbfs ioctl to get specific superspeedplus rates"
Next in thread: Oliver Neukum: "Re: [PATCH] USB: add usbfs ioctl to get specific superspeedplus rates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]