Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp28221imm; Fri, 21 Sep 2018 17:23:23 -0700 (PDT) X-Google-Smtp-Source: ACcGV62zdvYn4aW3MvPTey3v8NNbqAXBynTP2UJZ5EcZJSAfooj7y4hL2NGjuyW375tydUKp+Tmo X-Received: by 2002:a63:dd49:: with SMTP id g9-v6mr122537pgj.356.1537575803622; Fri, 21 Sep 2018 17:23:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537575803; cv=none; d=google.com; s=arc-20160816; b=RfevkrQhujifiQbXpGdWF642ud4ykuy1lf5k1feqmAS0WK//VNQtbfJnR2NbKXObtB pizcg0bOy+LHabE+IrR7eoGi7wK9PB0m30hcO7NgEM7WsluQhud+RpAjoQ00yxCLaArt xduMAgJWZ3dVT9Imyd1IhH/oIUXVcdCbFpd12QcpBEygKFkOsveRX5wCe6rr2ic1pv+E Of9mRJ2IygYLjeeOw1oo9YjDeWyZjCbcq3NpUkOfe22t2c79mranAuACpOyOaEtQMsdS xEY2N3TdJfs00wge4O5Y4Uh556OlAXseFXDdD6NRq8IYnvIH6M2x+EPnTuRWpXa/85Z2 K64Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=oTGow9ObtMJFFanjHmwuRqYt3dsuBcLxwNjZaNfYblo=; b=q+A+35wWP6NUClvxhCDgSljewpyM2IcS/SLaYo8EDGkXzT9ceUm08Ks0lt2lNOau9g s+xp0VG0F/djBF030W4l3yiDQx5C/NIv4RYaJyupEe8F18Q7qTdzbKWfVK5ulcEy3ze1 ekxkKw0MuJ4Fq9D62w2pBQhThqX3MmD9fRjB06gVrgVDk8nzWQSrDnB+G/Q8qX+Rwagp xrBAiVo2OzWuHc+cMtSPQQjtl+0j+LRgEqpRnfL3Q7wl8fnLzw2sbhrugr/kJr0UVZLA 5QM/PjILcHAY9go8UcUmMJZ+E/MTDgc3NMamnPY0/KizO2hkfsVV2zJn8/RrwHfGDpun +/5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f18-v6si27599009pgi.300.2018.09.21.17.23.08; Fri, 21 Sep 2018 17:23:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392351AbeIVGNb (ORCPT + 99 others); Sat, 22 Sep 2018 02:13:31 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:44224 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391995AbeIVGKs (ORCPT ); Sat, 22 Sep 2018 02:10:48 -0400 Received: from [2a02:8011:400e:2:cbab:f00:c93f:614] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1g3Vdy-0008BW-1b; Sat, 22 Sep 2018 01:19:30 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1g3Vdo-0000sz-H6; Sat, 22 Sep 2018 01:19:20 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Greg Kroah-Hartman" , "Jann Horn" Date: Sat, 22 Sep 2018 01:15:42 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 41/63] USB: yurex: fix out-of-bounds uaccess in read handler In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:cbab:f00:c93f:614 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.58-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn commit f1e255d60ae66a9f672ff9a207ee6cd8e33d2679 upstream. In general, accessing userspace memory beyond the length of the supplied buffer in VFS read/write handlers can lead to both kernel memory corruption (via kernel_read()/kernel_write(), which can e.g. be triggered via sys_splice()) and privilege escalation inside userspace. Fix it by using simple_read_from_buffer() instead of custom logic. Fixes: 6bc235a2e24a ("USB: add driver for Meywa-Denki & Kayac YUREX") Signed-off-by: Jann Horn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/misc/yurex.c | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -413,8 +413,7 @@ static int yurex_release(struct inode *i static ssize_t yurex_read(struct file *file, char *buffer, size_t count, loff_t *ppos) { struct usb_yurex *dev; - int retval = 0; - int bytes_read = 0; + int len = 0; char in_buffer[20]; unsigned long flags; @@ -422,26 +421,16 @@ static ssize_t yurex_read(struct file *f mutex_lock(&dev->io_mutex); if (!dev->interface) { /* already disconnected */ - retval = -ENODEV; - goto exit; + mutex_unlock(&dev->io_mutex); + return -ENODEV; } spin_lock_irqsave(&dev->lock, flags); - bytes_read = snprintf(in_buffer, 20, "%lld\n", dev->bbu); + len = snprintf(in_buffer, 20, "%lld\n", dev->bbu); spin_unlock_irqrestore(&dev->lock, flags); - - if (*ppos < bytes_read) { - if (copy_to_user(buffer, in_buffer + *ppos, bytes_read - *ppos)) - retval = -EFAULT; - else { - retval = bytes_read - *ppos; - *ppos += bytes_read; - } - } - -exit: mutex_unlock(&dev->io_mutex); - return retval; + + return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); } static ssize_t yurex_write(struct file *file, const char *user_buffer, size_t count, loff_t *ppos)