Hi Ben, Thanks for the patch. On 10/10/2018 11:30 PM, Ben Hutchings wrote: > Commit 5b22f676118f "usbip: vhci_hcd: check rhport before using in > vhci_hub_control()" added some validation of rhport, but left > several problems: > > - If VHCI_HC_PORTS < 256, we can get rhport >= VHCI_HC_PORTS which > is also out of range. To keep things simple, set rhport to -1 if > this would happen. > - For GetPortStatus, we range-check wIndex (and by implication > rhport) and report an error, but *don't* skip the following code. > Add a goto to the error path. > - At the end of the function, there's one last port_status lookup > that's not protected by any range check. I have patch out for this to fix a syzbot reported problem. console output: https://syzkaller.appspot.com/x/log.txt?x=126a6f0e400000 kernel config: https://syzkaller.appspot.com/x/.config?x=531a917630d2a492 dashboard link: https://syzkaller.appspot.com/bug?extid=bccc1fe10b70fadc78d0 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=121caa46400000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ed8ab6400000 I was able to reproduce the problem with the C reproducer and fixed it. Here is fix: https://patchwork.kernel.org/patch/10628833/ Sudip verified the patch. thanks, -- Shuah
