Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3928855imm; Mon, 8 Oct 2018 11:50:58 -0700 (PDT) X-Google-Smtp-Source: ACcGV6383PDBT1YbmmkSKBCdQ+QyrJdMc0IVnIai8BCD0YZNpaCNF1FarfrHm4FSp7U3vO4jsoPV X-Received: by 2002:a65:4783:: with SMTP id e3-v6mr5756575pgs.12.1539024658686; Mon, 08 Oct 2018 11:50:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539024658; cv=none; d=google.com; s=arc-20160816; b=HCfH1mdzaUOOOPjnwOdL9ydqlEBDAiCCadyCRLn9EOClA7ZhjIJjJPCKwe47lcJCG0 5j5G9RhPgQ5X2hgM1imgzHGzgDpvdqYcwEnDjjIK7qVYoXgiHyKzi4BZdbirNCB68h/d ORLYwxc6StiN1hi3FKTXZcMvKnCWw2Jbsd5LmUH7cAbxo/jcYX2sOgQDwvUahxCmndnh AnMWchybBiNVSblhry5WJuwRpGnbEwZpYgiqSnKthlc8ozAM2XvSpizaii7sy9XWdKF9 KVl8mSeb2Sgek+dkBuR8bF6P4UNXYAN1IRWI6TEO5snkcik73dj/Sq6yoS5YkH0UEp7Z 6nJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8/thLdWDhTQIPGo8UNwmPlV84vQeipW0De1jIvf0bdE=; b=Hh9KP4Eq9Wz4rnn8IPsWPSIypChgEEOL7QolvxYW4JV/Kj8LNMbkhJ8xKDq02LW4GT lr0fhewvkoQVgw3DSBapvdJlgNkaLX826OmE0xRxUlXdAbgLbtGNbXB3GREAzWOrr7aQ JwWs2is/UG0+ALBW9PJWCH+YQYbGqn05khqaNglBNrOx9ivXRTzZ3Bc5Bf2Q8gLFEtMJ OuThYz7dDooaLL0rBLg0yuPmdap/rjOeZxXmkQ1fPAZqJIW6Yh74NrX59E5TUH+2N5No FEIJE8Ry0twIwvc+T3TLoJqRBF6eWPGBu9ody27nWhy8Q7jxx6YDwagPn/+kAlbsBYGh m9yw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ELYlpU8M; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o2-v6si16990616pgj.111.2018.10.08.11.50.43; Mon, 08 Oct 2018 11:50:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ELYlpU8M; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732099AbeJICDh (ORCPT + 99 others); Mon, 8 Oct 2018 22:03:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:53138 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726391AbeJICDg (ORCPT ); Mon, 8 Oct 2018 22:03:36 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E369B2087D; Mon, 8 Oct 2018 18:50:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539024629; bh=IerCPqtrMyC7l3NWfJwQOdqDgfSeef/BtIMyCJ+LuTw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ELYlpU8Mk7V9wl5CX/M0XJOm3k56kcysBspPCDJHISeMJkXu9tJYRz/e84RVRHr4N /TxgHZnctO6J3EQyvfmPQr3xnmxQ41OWx+qgK11Cdjr/Tlw4OiGoCOhO9hMN2ML2Kg zpjMnrLdutPEE24ps7Neg2P5VAHubLzkEMFfFkG0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Hutchings , Sasha Levin Subject: [PATCH 4.18 102/168] USB: yurex: Check for truncation in yurex_read() Date: Mon, 8 Oct 2018 20:31:22 +0200 Message-Id: <20181008175623.939644896@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175620.043587728@linuxfoundation.org> References: <20181008175620.043587728@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings [ Upstream commit 14427b86837a4baf1c121934c6599bdb67dfa9fc ] snprintf() always returns the full length of the string it could have printed, even if it was truncated because the buffer was too small. So in case the counter value is truncated, we will over-read from in_buffer and over-write to the caller's buffer. I don't think it's actually possible for this to happen, but in case truncation occurs, WARN and return -EIO. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/yurex.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -413,6 +413,9 @@ static ssize_t yurex_read(struct file *f spin_unlock_irqrestore(&dev->lock, flags); mutex_unlock(&dev->io_mutex); + if (WARN_ON_ONCE(len >= sizeof(in_buffer))) + return -EIO; + return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); }