At 2023-07-26 16:33:22, "Oliver Neukum" <oneukum@xxxxxxxx> wrote: >On 25.07.23 18:11, Dingyan Li wrote: > >> In proc_conninfo_ex(), the number of returned bytes is determined by >> the smaller number between sizeof(struct usbdevfs_conninfo_ex) and a >> user specified size. So if we only append new members to the end of >> struct usbdevfs_conninfo_ex, it won't impact the bytes in the beginning. > >You have just caused memory corruption in user space by overwriting what >was right behind the buffer of the agreed upon size. Or, not much better, >caused a segmentation fault. > > Regards > Oliver How come? The actual returned bytes must be smaller than or equal to user specified size. You can check https://elixir.bootlin.com/linux/v6.5-rc3/source/drivers/usb/core/devio.c#L1493 Regards, Dingyan
