korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-14 06:24:53 +08:00
Code Issues Packages Projects Releases Wiki Activity
ce33e64c17
linux/drivers/usb
History
Kees Cook ce33e64c17 USB: ene_usb6250: Allocate enough memory for full object 
The allocation of PageBuffer is 512 bytes in size, but the dereferencing
of struct ms_bootblock_idi (also size 512) happens at a calculated offset
within the allocation, which means the object could potentially extend
beyond the end of the allocation. Avoid this case by just allocating
enough space to catch any accesses beyond the end. Seen with GCC 13:

../drivers/usb/storage/ene_ub6250.c: In function 'ms_lib_process_bootblock':
../drivers/usb/storage/ene_ub6250.c:1050:44: warning: array subscript 'struct ms_bootblock_idi[0]' is partly outside array bounds of 'unsigned char[512]' [-Warray-bounds=]
 1050 |                         if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
      |                                            ^~
../include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu'
   37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
      |                                                   ^
../drivers/usb/storage/ene_ub6250.c:1050:29: note: in expansion of macro 'le16_to_cpu'
 1050 |                         if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
      |                             ^~~~~~~~~~~
In file included from ../drivers/usb/storage/ene_ub6250.c:5:
In function 'kmalloc',
    inlined from 'ms_lib_process_bootblock' at ../drivers/usb/storage/ene_ub6250.c:942:15:
../include/linux/slab.h:580:24: note: at offset [256, 512] into object of size 512 allocated by 'kmalloc_trace'
  580 |                 return kmalloc_trace(
      |                        ^~~~~~~~~~~~~~
  581 |                                 kmalloc_caches[kmalloc_type(flags)][index],
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  582 |                                 flags, size);
      |                                 ~~~~~~~~~~~~

Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20230204183546.never.849-kees@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-02-06 13:46:42 +01:00
..
atm usb: move from strlcpy with unused retval to strscpy 2022-08-19 11:08:54 +02:00
c67x00 USB: c67x00: remove unnecessary check of res 2022-05-12 11:36:46 +02:00
cdns3 Merge 6.2-rc5 into usb-next 2023-01-23 15:38:08 +01:00
chipidea USB: chipidea: fix memory leak with using debugfs_lookup() 2023-02-06 13:46:41 +01:00
class USB: make devnode() callback in usb_class_driver take a const * 2022-10-20 12:11:56 +02:00
common USB: ULPI: fix memory leak with using debugfs_lookup() 2023-02-06 13:46:41 +01:00
core USB: core: Don't hold device lock while reading the "descriptors" sysfs file 2023-01-31 21:54:35 +01:00
dwc2 usb: dwc2: power on/off phy for peripheral mode in dual-role mode 2022-12-08 16:50:56 +01:00
dwc3 USB: dwc3: fix memory leak with using debugfs_lookup() 2023-02-06 13:46:41 +01:00
early usb: early: xhci-dbc: Use memcpy_and_pad() 2023-01-31 10:40:54 +01:00
fotg210 USB: fotg210: fix memory leak with using debugfs_lookup() 2023-02-06 13:46:42 +01:00
gadget USB: gadget: pxa27x_udc: fix memory leak with using debugfs_lookup() 2023-02-06 13:46:42 +01:00
host usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math 2023-02-06 13:46:42 +01:00
image usb/image: fix repeated words in comments 2022-07-27 14:33:53 +02:00
isp1760 usb: isp1760: Fix out-of-bounds array access 2022-05-19 18:10:59 +02:00
misc Merge 6.2-rc5 into usb-next 2023-01-23 15:38:08 +01:00
mon usb: mon: make mmapped memory read only 2022-09-22 15:52:29 +02:00
mtu3 usb: mtu3: fix the failure of qmu stop 2023-01-19 14:12:08 +01:00
musb usb: musb: sunxi: Introduce config struct 2023-02-02 11:13:42 +01:00
phy usb: isp1301-omap: Convert to i2c's .probe_new() 2022-11-22 17:33:27 +01:00
renesas_usbhs usb: renesas: Fix refcount leak bug 2022-06-21 16:39:03 +02:00
roles Driver Core changes for 6.2-rc1 2022-12-16 03:54:54 -08:00
serial USB: serial: option: add Quectel EM05CN modem 2023-01-16 08:47:47 +01:00
storage USB: ene_usb6250: Allocate enough memory for full object 2023-02-06 13:46:42 +01:00
typec Merge 6.2-rc7 into usb-next 2023-02-06 08:33:30 +01:00
usbip Including fixes from bpf, netfilter and can. 2022-12-21 08:41:32 -08:00
Kconfig usb: fotg210: Collect pieces of dual mode controller 2022-11-09 12:38:09 +01:00
Makefile usb: fotg210: Collect pieces of dual mode controller 2022-11-09 12:38:09 +01:00
usb-skeleton.c usb: add usb_set_intfdata() documentation 2022-11-29 08:56:09 +01:00