Am Mittwoch, den 14.08.2019, 04:38 -0700 schrieb syzbot: > Hello, > > syzbot found the following crash on: > > HEAD commit: d0847550 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=16295d4a600000 > kernel config: https://syzkaller.appspot.com/x/.config?x=dbc9c80cc095da19 > dashboard link: https://syzkaller.appspot.com/bug?extid=55b0304b360654a7537b > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1288a31c600000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15282e86600000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+55b0304b360654a7537b@xxxxxxxxxxxxxxxxxxxxxxxxx #syz test: https://github.com/google/kasan.git d0847550 >From 5fa900e86e57d92a0b23a1a60ff4f4f13e997a93 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum@xxxxxxxx> Date: Wed, 14 Aug 2019 15:21:41 +0200 Subject: [PATCH] usbtmc: more sanity checking for packet size A malicious device can make the driver divide ny zero with a nonsense maximum packet size. SIgned-off-by: Oliver Neukum <oneukum@xxxxxxxx> --- drivers/usb/class/usbtmc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c index 4942122b2346..11042ca56818 100644 --- a/drivers/usb/class/usbtmc.c +++ b/drivers/usb/class/usbtmc.c @@ -2364,6 +2364,8 @@ static int usbtmc_probe(struct usb_interface *intf, data->bulk_in = bulk_in->bEndpointAddress; data->wMaxPacketSize = usb_endpoint_maxp(bulk_in); + if (!data->wMaxPacketSize) + goto err_put; dev_dbg(&intf->dev, "Found bulk in endpoint at %u\n", data->bulk_in); data->bulk_out = bulk_out->bEndpointAddress; -- 2.16.4
