Am Sonntag, den 11.08.2019, 13:46 -0700 schrieb syzbot: > syzbot has found a reproducer for the following crash on: > > HEAD commit: e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=150426ba600000 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=5a6c4ec678a0c6ee84ba > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12725c02600000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162163c2600000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+5a6c4ec678a0c6ee84ba@xxxxxxxxxxxxxxxxxxxxxxxxx #syz test: https://github.com/google/kasan.git e96407b4 >From 700a7cc270f06c6e9881f49e36a7722d16ee37db Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum@xxxxxxxx> Date: Thu, 8 Aug 2019 15:08:48 +0200 Subject: [PATCH] HID: use strnlen to not walk through kernel memory If a device sets no phy name we must limit the range for looking for the end of the string lest we touch areas of memory we should not touch. Reported-by: syzbot+5a6c4ec678a0c6ee84ba@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> --- drivers/hid/hidraw.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c index 006bd6f4f653..c7dcff6222b5 100644 --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -443,9 +443,7 @@ static long hidraw_ioctl(struct file *file, unsigned int cmd, } if (_IOC_NR(cmd) == _IOC_NR(HIDIOCGRAWPHYS(0))) { - int len = strlen(hid->phys) + 1; - if (len > _IOC_SIZE(cmd)) - len = _IOC_SIZE(cmd); + int len = strnlen(hid->phys, _IOC_SIZE(cmd)) + 1; ret = copy_to_user(user_arg, hid->phys, len) ? -EFAULT : len; break; -- 2.16.4