Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751416AbcL1Lxf (ORCPT <rfc822;w@1wt.eu>);
        Wed, 28 Dec 2016 06:53:35 -0500
Received: from mga09.intel.com ([134.134.136.24]:4569 "EHLO mga09.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751364AbcL1Lxd (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 28 Dec 2016 06:53:33 -0500
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.33,422,1477983600"; 
   d="asc'?scan'208";a="916820395"
From: Felipe Balbi <balbi@kernel.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Andrey Konovalov <andreyknvl@google.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Marek Szyprowski <m.szyprowski@samsung.com>,
        David Sterba <dsterba@suse.com>,
        Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>,
        David Eccher <d.eccher@gmail.com>, Bin Liu <b-liu@ti.com>,
        Mathieu Laurendeau <mat.lau@laposte.net>,
        Binyamin Sharet <s.binyamin@gmail.com>,
        "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
        linux-usb@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        Dmitry Vyukov <dvyukov@google.com>, Kostya Serebryany <kcc@google.com>,
        syzkaller <syzkaller@googlegroups.com>
Subject: Re: net/gadget: slab-out-of-bounds write in dev_config
In-Reply-To: <Pine.LNX.4.44L0.1612271007290.21478-100000@netrider.rowland.org>
References: <Pine.LNX.4.44L0.1612271007290.21478-100000@netrider.rowland.org>
Date: Wed, 28 Dec 2016 13:51:48 +0200
Message-ID: <874m1o1dbf.fsf@linux.intel.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
        micalg=pgp-sha256; protocol="application/pgp-signature"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4042
Lines: 112

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


Hi,

Alan Stern <stern@rowland.harvard.edu> writes:
>> > Index: usb-4.x/drivers/usb/gadget/legacy/inode.c
>> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> > --- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c
>> > +++ usb-4.x/drivers/usb/gadget/legacy/inode.c
>> > @@ -1126,7 +1126,7 @@ ep0_write (struct file *fd, const char _
>> >  	/* data and/or status stage for control request */
>> >  	} else if (dev->state =3D=3D STATE_DEV_SETUP) {
>> >=20=20
>> > -		/* IN DATA+STATUS caller makes len <=3D wLength */
>> > +		len =3D min(len, (size_t) dev->setup_wLength);
>> >  		if (dev->setup_in) {
>> >  			retval =3D setup_req (dev->gadget->ep0, dev->req, len);
>> >  			if (retval =3D=3D 0) {
>> >
>>=20
>> I already have a patch from Greg for this. See [1]
>>=20
>> [1] https://git.kernel.org/cgit/linux/kernel/git/balbi/usb.git/commit/?i=
d=3D230bc0cb8ff222d9f0fbbd93a80393140b39481f
>
> The two patches fix different problems.  My patch goes on the pathway
> where dev->state > STATE_DEV_OPENED in dev_config(), and Greg's patch
> handles the case where it is <=3D.

Okay, here's what I have so far in my testing/fixes:

$ git --no-pager shortlog testing/fixes ^linus/master
Alan Stern (5):
      USB: dummy-hcd: fix bug in stop_activity (handle ep0)
      USB: gadgetfs: fix unbounded memory allocation bug
      USB: gadgetfs: fix use-after-free bug
      USB: gadgetfs: fix checks of wTotalLength in config descriptors
      USB: gadgetfs: remove unnecessary assignment

Baolin Wang (1):
      usb: gadget: f_fs: Fix possibe deadlock

Felipe Balbi (4):
      usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb()
      usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb()
      usb: dwc3: gadget: always unmap EP0 requests
      usb: dwc3: core: avoid Overflow events

Greg Kroah-Hartman (1):
      usb: gadgetfs: restrict upper bound on device configuration size

Grygorii Strashko (1):
      usb: dwc3: omap: fix race of pm runtime with irq handler in probe

Hans de Goede (1):
      usb: dwc3: pci: Fix dr_mode misspelling

Heikki Krogerus (1):
      usb: dwc3: pci: add Intel Gemini Lake PCI ID

Janusz Dziedzic (1):
      usb: dwc3: skip interrupt when ep disabled

John Youn (1):
      usb: dwc3: pci: Add "linux,sysdev_is_parent" property

Krzysztof Opasiak (1):
      usb: gadget: composite: Test get_alt() presence instead of set_alt()

Marek Szyprowski (1):
      usb: dwc2: fix flags for DMA descriptor allocation in dwc2_hsotg_ep_e=
nable

Stefan Wahren (4):
      usb: dwc2: Do not set host parameter in peripheral mode
      usb: dwc2: fix dwc2_get_device_property for u8 and u16
      usb: dwc2: fix default value for DMA support
      usb: dwc2: gadget: fix default value for gadget-dma-desc

Vincent Pelletier (2):
      usb: gadget: f_fs: Document eventfd effect on descriptor format.
      usb: gadget: f_fs: Fix ExtCompat descriptor validation


=2D-=20
balbi

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEElLzh7wn96CXwjh2IzL64meEamQYFAlhjp1QACgkQzL64meEa
mQbXahAAvN/iXaOHqNb6NeSvohvQAVE4DH3veNQqP+Q3JBy6C2Dv3FOtECAyUfpL
lRopDENMzHgGXYsdHUyI09rGEba+00xZUA4Vd7YjtmeKjdG9dm5WX5wbpsem5XHp
pu2Gvbq0VPp0HPxk4gCImMQgEn6gGk/a3QS9HvgTi2M/5+jcBUuqYD918yr2iRDW
0KGbntUs5R/GEg5q/rtogDoEcXMaPFlKoXSRGRqZJlHQyI9awKiOiaFUdP75rS+9
lUOGXRVSWowOBswhfm/jHBTGLQsk3lc7CAz14ghYmM0fpk1gBJx5YBCC+dDvcuaT
cLIyMyfUcf5kqcIDV8kp1SQzs32z7PBB8vOf10c+Xa8ZZXveXjmQ++PJp2C3+qxv
LNXPZpmMIZdC44bhNseS3Xkf1VV73RY8jb2Zgo3uhWeVeJcM2pTHsJ+xxxUAeD1j
KQxk/xBlVHk7ar9nXKuxXtLyTWQfqJPU2xi+OP8aUkYR9jjSoMIOcWNUcW3qyBus
LhGTY23Ay4YGM/9QD9I+8Es8YDpisWAQCUw4fGLil/2Zi6X5XNN1e0JeQLp3a5yg
v33U6YZBffRj54WVuiGAQJiECGWYP8mTVjd84Jd/faJpqJ4zczue4Q5VslsMHWdk
YuRaOBhyrdwtJ0tIWjmBauFjlDmqVVf47R8Us/3uW20GDEpuamc=
=mjgL
-----END PGP SIGNATURE-----
--=-=-=--