Received: by 2002:a17:90a:bc8d:0:0:0:0 with SMTP id x13csp1572574pjr;
        Mon, 18 May 2020 16:45:16 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxZmBdItyNtMeNc1AtKxrL42bzUoBz4etCzRsbVmkgG2XYQ9iNEFRodZFfP5tu/LFOW/lk9
X-Received: by 2002:a17:906:858b:: with SMTP id v11mr17335054ejx.348.1589845516265;
        Mon, 18 May 2020 16:45:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1589845516; cv=none;
        d=google.com; s=arc-20160816;
        b=jTxw5xg2lB2HDozUWUJexSzJ7AYS/0FC5+cwpRYAYQRDQ8hcS6QfjZg/rpUlJRsgEP
         eMaMJ0H6+PeBB72bPwqEPQRZg1iVWwF1rV3SPA0RVOf8Ux1Z2mqa3clXTXFCPdEXGwsy
         43Kxk4igxY7R3xolsd68FPHaCGAXFfmV2vk7lMsT/ThwBxNO7UqKqWlCqGMOVTj2Iv1n
         8cRa0Zx22YxSH0VS+7LUvksl/nElPKOyuiHzPpY1tmjIJoNDenPJoVYeoAQsGFS+MwAq
         W2pEsraKUzsxFWwfLBwS/rO0QW2LqFcMcQbjc9kF3Jbw71A1bTVp/hlO3XpGdmQSNmHq
         tSlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=btRO8gJYII3+pzQrQ8pGvdLgjy/j/sNyZl0V4aatNuU=;
        b=A7/pz3oHDMrYHLHqUG6RgwOlMlWEmChjwtMnrkje13eiSrdPWn9xf6DD1ghyPnu7re
         4+M5lVZhq8SuiAOMYcHyzgXL1ZHZxZPLCuQt3aEybYpywz31ZAtDN+uV1nudg4bsNo+Q
         FO3SKLUNcLpu6Z3g9Hp6Ad8AN8r3zVA9lbeRyFaxHA6Z3+sF4gqC5Yxx6P+Bc6RCAr7w
         5t28BHa8jN7NJHxM+dWpQ0Q4LXGWmkLGNpvnEFbhSXCXtFIXvUD+Q2DeQWGaYEwGdgGr
         7gZ8YR101tE14FrzrZcPrbpnbeygCjPVgA0/NuY5Ma+SbgWn0OREV/Jn2pH68VXSGjz2
         M0fw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Z+u1XS+Y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j5si3201763ejm.468.2020.05.18.16.44.53;
        Mon, 18 May 2020 16:45:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Z+u1XS+Y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731388AbgERR6Q (ORCPT <rfc822;bowenwang.tinker@gmail.com>
        + 99 others); Mon, 18 May 2020 13:58:16 -0400
Received: from mail.kernel.org ([198.145.29.99]:37410 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730713AbgERR6N (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 May 2020 13:58:13 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id B273B20715;
        Mon, 18 May 2020 17:58:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589824692;
        bh=Q6OxYPg+HEkGz2LIWB5H4R2fxd0AQ+iGVhEsHiX43Pk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Z+u1XS+YbU54yNXENfrjwzrRy7q+SnrdWyFqmzfJKFfQsZlf1pc9wZFRvDQsOtf1v
         oXGnYZwy5y5kYbGF1GLzvI1vDiZSVb550JIwHmRs1pKrn0Jr+5QswiVv46OKxAuNDn
         /Ye636BvUiVZQnjcTGrgM8sVcsBRoHngI+O2jPyE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Kyungtae Kim <kt0755@gmail.com>,
        Felipe Balbi <balbi@kernel.org>
Subject: [PATCH 5.4 112/147] USB: gadget: fix illegal array access in binding with UDC
Date:   Mon, 18 May 2020 19:37:15 +0200
Message-Id: <20200518173527.073653153@linuxfoundation.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200518173513.009514388@linuxfoundation.org>
References: <20200518173513.009514388@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Kyungtae Kim <kt0755@gmail.com>

commit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream.

FuzzUSB (a variant of syzkaller) found an illegal array access
using an incorrect index while binding a gadget with UDC.

Reference: https://www.spinics.net/lists/linux-usb/msg194331.html

This bug occurs when a size variable used for a buffer
is misused to access its strcpy-ed buffer.
Given a buffer along with its size variable (taken from user input),
from which, a new buffer is created using kstrdup().
Due to the original buffer containing 0 value in the middle,
the size of the kstrdup-ed buffer becomes smaller than that of the original.
So accessing the kstrdup-ed buffer with the same size variable
triggers memory access violation.

The fix makes sure no zero value in the buffer,
by comparing the strlen() of the orignal buffer with the size variable,
so that the access to the kstrdup-ed buffer is safe.

BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200
drivers/usb/gadget/configfs.c:266
Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208

CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xce/0x128 lib/dump_stack.c:118
 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:641
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266
 flush_write_buffer fs/configfs/file.c:251 [inline]
 configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283
 __vfs_write+0x85/0x110 fs/read_write.c:494
 vfs_write+0x1cd/0x510 fs/read_write.c:558
 ksys_write+0x18a/0x220 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:620
 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Signed-off-by: Kyungtae Kim <kt0755@gmail.com>
Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/configfs.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -260,6 +260,9 @@ static ssize_t gadget_dev_desc_UDC_store
 	char *name;
 	int ret;
 
+	if (strlen(page) < len)
+		return -EOVERFLOW;
+
 	name = kstrdup(page, GFP_KERNEL);
 	if (!name)
 		return -ENOMEM;