Patch "USB: ene_usb6250: Allocate enough memory for full object" has been added to the 5.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    USB: ene_usb6250: Allocate enough memory for full object

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-ene_usb6250-allocate-enough-memory-for-full-obje.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 45013dee80a0540f1fae6283b6a1f54a8d470f9a
Author: Kees Cook <keescook@xxxxxxxxxxxx>
Date:   Sat Feb 4 10:35:46 2023 -0800

    USB: ene_usb6250: Allocate enough memory for full object
    
    [ Upstream commit ce33e64c1788912976b61314b56935abd4bc97ef ]
    
    The allocation of PageBuffer is 512 bytes in size, but the dereferencing
    of struct ms_bootblock_idi (also size 512) happens at a calculated offset
    within the allocation, which means the object could potentially extend
    beyond the end of the allocation. Avoid this case by just allocating
    enough space to catch any accesses beyond the end. Seen with GCC 13:
    
    ../drivers/usb/storage/ene_ub6250.c: In function 'ms_lib_process_bootblock':
    ../drivers/usb/storage/ene_ub6250.c:1050:44: warning: array subscript 'struct ms_bootblock_idi[0]' is partly outside array bounds of 'unsigned char[512]' [-Warray-bounds=]
     1050 |                         if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
          |                                            ^~
    ../include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu'
       37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
          |                                                   ^
    ../drivers/usb/storage/ene_ub6250.c:1050:29: note: in expansion of macro 'le16_to_cpu'
     1050 |                         if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
          |                             ^~~~~~~~~~~
    In file included from ../drivers/usb/storage/ene_ub6250.c:5:
    In function 'kmalloc',
        inlined from 'ms_lib_process_bootblock' at ../drivers/usb/storage/ene_ub6250.c:942:15:
    ../include/linux/slab.h:580:24: note: at offset [256, 512] into object of size 512 allocated by 'kmalloc_trace'
      580 |                 return kmalloc_trace(
          |                        ^~~~~~~~~~~~~~
      581 |                                 kmalloc_caches[kmalloc_type(flags)][index],
          |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      582 |                                 flags, size);
          |                                 ~~~~~~~~~~~~
    
    Cc: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230204183546.never.849-kees@xxxxxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/usb/storage/ene_ub6250.c b/drivers/usb/storage/ene_ub6250.c
index 9c984f3c7248a..b076260a2ca49 100644
--- a/drivers/usb/storage/ene_ub6250.c
+++ b/drivers/usb/storage/ene_ub6250.c
@@ -938,7 +938,7 @@ static int ms_lib_process_bootblock(struct us_data *us, u16 PhyBlock, u8 *PageDa
 	struct ms_lib_type_extdat ExtraData;
 	struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
 
-	PageBuffer = kmalloc(MS_BYTES_PER_PAGE, GFP_KERNEL);
+	PageBuffer = kzalloc(MS_BYTES_PER_PAGE * 2, GFP_KERNEL);
 	if (PageBuffer == NULL)
 		return (u32)-1;
 



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux