Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3923263imm; Mon, 8 Oct 2018 11:45:14 -0700 (PDT) X-Google-Smtp-Source: ACcGV62RmroxyZI8DJBH5YwjmaADAwwzTRZirIWjeKg6nT2UfvZURGjb7KnU+fEnf2XYYWFwjzDu X-Received: by 2002:a65:4301:: with SMTP id j1-v6mr22288467pgq.279.1539024314695; Mon, 08 Oct 2018 11:45:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539024314; cv=none; d=google.com; s=arc-20160816; b=cPLpZ23uNbod4ELOuNcb/3SzejPRE7NVncokFHGB4Ph/MJnPdE0EQ6FQw4xiz8sChx bQoubK2f5NV+Abbf6X+1Bu8l2SXnmqfBzyxRdvuXTj5SB45FJbJj0JoOMNcmcDppNqiU pvTH9FdTFPC4It7H247Rbedmy27w1Oa5CvE0rYazLsfJRt7qHq7kVXuktWdjfyxgCMFf QKz9BQLGvynlSXLXZFtF/42+oSrXy9KOQ2Ee5hMpImelHdIFB6rn10hMNTh8tl05tjd7 +t9t75tj7Fwi08GMf98nZOn6JpYvJcrWxpyEUrLo22wwAZqaX2qHRk2MuLw6CEfnRQpT 2WHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=PBmPqd22NtLb8uA/ss1hWKP3YZ8vvmEBhFMk5jh56UM=; b=XysDFQeakgFPdj454w1iqzZCsnCmsnFrTALAjNmwf9Wl1cO90I2isG9faw4x9Fw3hm 0fjlxPdfRefR/obMU5LXSG4vH23zjj43WAilBzTpMibLmC8g0rXoMkdTmejVXHglEEXr YYb71k0TloX7Z0MguEklOpWA3oAU7c2gM908r5da2SoVvL0nuuVIW0o0MmlC+jMuPxDy L8U7Eifdr36dV4GSsQ/AFkgH/wo2sg6Q1kyxdrCZCn664RK44ZhicGyOpGBndbH+v5qs PfDfbE1fHUHKaGXYJPPOfV9nyznJgFhdW9btfVcWcDg3nyueg23k0vFCrSx1jC+43PpW 2BXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vObnM0OP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r13-v6si18383127pfb.43.2018.10.08.11.44.59; Mon, 08 Oct 2018 11:45:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vObnM0OP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730785AbeJIB5k (ORCPT + 99 others); Mon, 8 Oct 2018 21:57:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:45616 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730397AbeJIB5k (ORCPT ); Mon, 8 Oct 2018 21:57:40 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 785DC2064A; Mon, 8 Oct 2018 18:44:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539024275; bh=gtTtCTv4uFyX1wMEohy9GtYwHZmAMaqWhkgqiqpIOnM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vObnM0OPzppaqA+LkyLYCBm1Rn4NR9guRHJcYASSwBYnPEAMCq1G7f360qkAOYv8y wZgKaaAot0vsRGENvgKR0tlU9LF0RkoLOInDG5y9YeaQLkHf7q/wZBhLmYeCrfVUlm cYJa7iK5tkFRnbhNqjg5TMshZyqK6vN527dSoMxU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Hutchings , Sasha Levin Subject: [PATCH 4.14 56/94] USB: yurex: Check for truncation in yurex_read() Date: Mon, 8 Oct 2018 20:31:37 +0200 Message-Id: <20181008175608.435025039@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175605.067676667@linuxfoundation.org> References: <20181008175605.067676667@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings [ Upstream commit 14427b86837a4baf1c121934c6599bdb67dfa9fc ] snprintf() always returns the full length of the string it could have printed, even if it was truncated because the buffer was too small. So in case the counter value is truncated, we will over-read from in_buffer and over-write to the caller's buffer. I don't think it's actually possible for this to happen, but in case truncation occurs, WARN and return -EIO. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/yurex.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -417,6 +417,9 @@ static ssize_t yurex_read(struct file *f spin_unlock_irqrestore(&dev->lock, flags); mutex_unlock(&dev->io_mutex); + if (WARN_ON_ONCE(len >= sizeof(in_buffer))) + return -EIO; + return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); }