Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3917266imm; Mon, 8 Oct 2018 11:39:17 -0700 (PDT) X-Google-Smtp-Source: ACcGV60wmPRvjAmQbqtTwbSgTlhsE5it8enkR0pr1SY3GsNz8UoYU+IxiX8C10sXPdDR/ifHYImz X-Received: by 2002:aa7:814f:: with SMTP id d15-v6mr26573142pfn.78.1539023957351; Mon, 08 Oct 2018 11:39:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539023957; cv=none; d=google.com; s=arc-20160816; b=ZiPiGnS1ATlgtAbQaK1XbJx4FEABXew4EuXKugidHBtEZVxjdZRDjWF7lwzBVmVOp6 d6zbDQudV0j18sKEnU7MQ0PDF39DZNKRwHvtIn82gecZMpQ9QyKykxd4hKdE2B/yrgtW m3eoXqGUkpqt2sRR8Zgq7/aPsjW2c2c1LJimym9TGvdoWjmjcLhvm9PN59iAnKhB4I4e 9MD4SoasooyTe3qLyYuVUE+k9FhvlwmKmR0QP3AJRdcg9Js6m/h8awGPLF4xc3lOVh/9 +1rKIb3+0AHIh1BroYP19IKo4nYE8VrNxrXUEKBTlk4bhcT3jQu8Xyqzj7/O4pVlTkoS 9FlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jMAe0BDwdAeUdQHBODBGi1AI59AtBfwVg6vWt25TZ18=; b=d7m5s1nxBrqoJs3afX2ShD5nSqlh78kdyOUWmlQ4q4DIrszN/8iCPLP4vQLzH5lNWS vF6zyGsBNdeWUIKXF8hB770+gqxtVB/gPBac+hfYqrEs2HOAacBTxxgqHZTwmlkaWDEt RbV9Zolqn6FEyuadfSSsFi9s1USwccDYMO5lqGi+WZvQM2ogX9uhpSd7Kbbf8QAiH54i Ykpc71ns/+QjwRUy15xvQEjRAxt0GobFSYBfn9/DLRWdaNJznznZGlBGMTB8+vS5JdT5 SFiSv/jXyx1xPlNnFmqPcSLwSsybsvd1w0ZJ0q2tzi6yGkTUFM73ok7Vv5JCyXtslynR Q+rA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nLKaJDgU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x17-v6si17605696pgl.414.2018.10.08.11.39.02; Mon, 08 Oct 2018 11:39:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nLKaJDgU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728768AbeJIBuI (ORCPT + 99 others); Mon, 8 Oct 2018 21:50:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:35856 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726529AbeJIBuH (ORCPT ); Mon, 8 Oct 2018 21:50:07 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9506B2087D; Mon, 8 Oct 2018 18:37:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539023824; bh=hoq3dbOftU5Vbvjvk8ONskX1qvc5XhkyYQ6x1nQQzkc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nLKaJDgUkscVR7gXRGIch+Wq45FXZMrpg5vQuUhM3b0AkPTg7RO2vGUPTrMHtOpzy 4Oyg6B++mUK9viKfjoVc9xJzyyCim06iZYn4Ryp5p+x6at7a6Vvw4gxygA0e3jLW65 SxLd6awXzYkQzVAOyEy6tORSXZx+2zDf94A1sBM0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Hutchings , Sasha Levin Subject: [PATCH 4.4 096/113] USB: yurex: Check for truncation in yurex_read() Date: Mon, 8 Oct 2018 20:31:37 +0200 Message-Id: <20181008175536.543068387@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175530.864641368@linuxfoundation.org> References: <20181008175530.864641368@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings [ Upstream commit 14427b86837a4baf1c121934c6599bdb67dfa9fc ] snprintf() always returns the full length of the string it could have printed, even if it was truncated because the buffer was too small. So in case the counter value is truncated, we will over-read from in_buffer and over-write to the caller's buffer. I don't think it's actually possible for this to happen, but in case truncation occurs, WARN and return -EIO. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/yurex.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -431,6 +431,9 @@ static ssize_t yurex_read(struct file *f spin_unlock_irqrestore(&dev->lock, flags); mutex_unlock(&dev->io_mutex); + if (WARN_ON_ONCE(len >= sizeof(in_buffer))) + return -EIO; + return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); }