Kees Cook wrote:
> If the iowarrior devices in this case statement support more than 8 bytes
> per report, it is possible to write past the end of a kernel heap allocation.
> This will probably never be possible, but change the allocation to be more
> defensive anyway.
I think this might be triggered from user space, indeed. The iowarrior_class.fops->write
points directly to the function iowarrior_write(). The iowarrior_class itself
is passed to the function usb_register_dev(), which means that the write() system
call to the character device will result in calling the iowarrior_write() function.
> Signed-off-by: Kees Cook <kees.cook@xxxxxxxxxxxxx>
Acked-by: Márton Németh <nm127@xxxxxxxxxxx>
There might be similar problem also in the case USB_DEVICE_ID_CODEMERCS_IOW56. There
is buf is allocated with usb_alloc_coherent() to the size dev->report_size. However,
some lines later the copy_from_user() function tries to copy "count" number of
bytes to the dev->report_size allocated buffer. Unfortunately I don't have such
devices to try the driver so these are just coming from "static analysis".
> ---
> drivers/usb/misc/iowarrior.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
> index bc88c79..8ed8d05 100644
> --- a/drivers/usb/misc/iowarrior.c
> +++ b/drivers/usb/misc/iowarrior.c
> @@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
> case USB_DEVICE_ID_CODEMERCS_IOWPV2:
> case USB_DEVICE_ID_CODEMERCS_IOW40:
> /* IOW24 and IOW40 use a synchronous call */
> - buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
> + buf = kmalloc(count, GFP_KERNEL);
> if (!buf) {
> retval = -ENOMEM;
> goto exit;
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
