On Wed, Aug 15, 2018 at 10:44 PM Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx> wrote: > > If the written data starts with a digit, yurex_write() tries to parse > it as an integer using simple_strtoull(). This requires a null- > terminator, and currently there's no guarantee that there is one. Oh, good catch. > (The sample program at > https://github.com/NeoCat/YUREX-driver-for-Linux/blob/master/sample/yurex_clock.pl > writes an integer without a null terminator. It seems like it must > have worked by chance!) > > Always add a null byte after the written data. Enlarge the buffer > to allow for this. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx> > --- > drivers/usb/misc/yurex.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c > index 3be40eaa1ac9..1232dd49556d 100644 > --- a/drivers/usb/misc/yurex.c > +++ b/drivers/usb/misc/yurex.c > @@ -421,13 +421,13 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, > { > struct usb_yurex *dev; > int i, set = 0, retval = 0; > - char buffer[16]; > + char buffer[16 + 1]; > char *data = buffer; > unsigned long long c, c2 = 0; > signed long timeout = 0; > DEFINE_WAIT(wait); > > - count = min(sizeof(buffer), count); > + count = min(sizeof(buffer) - 1, count); > dev = file->private_data; > > /* verify that we actually have some data to write */ > @@ -446,6 +446,7 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, > retval = -EFAULT; > goto error; > } > + buffer[count] = 0; > memset(dev->cntl_buffer, CMD_PADDING, YUREX_BUF_SIZE); > > switch (buffer[0]) { By the way: A little bit below here, there's some other line that looks bogus: > buffer[6] = CMD_EOF; AFAICS that should probably go into ->cntl_buffer; `buffer` and `data` aren't used below that point. But that'd just be a functional bug, not security-relevant, so I'm not sure whether anyone cares.
