Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp2021680rwi; Fri, 28 Oct 2022 01:54:03 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5HO+Wd0xJF5RYgBQfbry/BNNR90OYOWvsRTljIfZg4Do7Fd7oTx8NBR0c+5WRiIrFD5k7G X-Received: by 2002:a05:6402:1842:b0:461:59b6:3f1b with SMTP id v2-20020a056402184200b0046159b63f1bmr33988517edy.308.1666947243546; Fri, 28 Oct 2022 01:54:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666947243; cv=none; d=google.com; s=arc-20160816; b=ikRyRfplUNBpojYWUkvbaW/QeCzKi1W+iAWJneVaduI+vCyO8N0cv5RdUAokQ45o2u CrnlV/JgyshfOmTMzgm4eJmoTbPc1sE+FSBM/B65wmFhbSrsnfPCQ/4w2M5/DcgTUmwD 9LZ25lDAquf5nHLgnlrCtQGRqMidg5fVzqXj3YtB6hh9Qsir3dj8kkLdxNGS1zZyEmY4 HUcd8aygCoMsD7xCF2Ir3vU5Zi1/eM9B/JQBwObHsWP7iToQ4Kcxv7vT+XMuVbDUaSOQ iYPgL+zmj1+D900GD1oeK68vdUS7m1RQxuBCiUCJCJ2YDfHaVuHI0IswbjuC6VsI0FKg qauA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ennOQKFOTwsP0hyLNdo0z1k0y6OG1jhsLXFhNIam/zE=; b=zkkKMukxtSz3wz11Z+7Q/6dms+5Kmee0qjwItYpq2Q65pcizcvu785pHp+Hy02KN+C PfOr2C638tBhc324q/kFPeUji5XFep+R1ePmNqa81vP3nLER/1SJkVBRbr5TFrp0FXUq XSaIB5xgWSQAhkPoOT0bIXMP98zGTNcS3d/p+okEDKaSSQWhq1hPIwU8wg2zrXJf/ZBt 4uibMaEcSRrnllaC+W7k3Xc9PBRQWm6kN05oEKcbFK1qcVREyEov8iWh5vlBQDBNz1Ii d5VhVKdDHbeljhz5Gdvyt3+tHOU76olVuggf6AlNBBjY2SpbUgf21j/BoMiKK7nDZ4Qg M5ww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance-com.20210112.gappssmtp.com header.s=20210112 header.b=RMQWpuAT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y14-20020a17090668ce00b00781d793f524si3095807ejr.132.2022.10.28.01.53.36; Fri, 28 Oct 2022 01:54:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance-com.20210112.gappssmtp.com header.s=20210112 header.b=RMQWpuAT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230228AbiJ1HmI (ORCPT + 99 others); Fri, 28 Oct 2022 03:42:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53872 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230111AbiJ1HmG (ORCPT ); Fri, 28 Oct 2022 03:42:06 -0400 Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B05EFA001 for ; Fri, 28 Oct 2022 00:42:05 -0700 (PDT) Received: by mail-vk1-xa33.google.com with SMTP id p9so2091218vkf.2 for ; Fri, 28 Oct 2022 00:42:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ennOQKFOTwsP0hyLNdo0z1k0y6OG1jhsLXFhNIam/zE=; b=RMQWpuATlVIwbvb2c5IDualoj7xt9KjdY8SfP6kH7GH6Rp7kM+RSjQktoo5ZRwNoaN axAfzAi/ppoWLQp0umuuDbqW9yCjsQNeZM8w9TYJvN5Ii6RV6mpeS/CTkabzbjdUK2li 4X9IuQetRuS7p0MMH7l6Uy7FSUCubxgHn2Y8bZoGoUVfew3y7Ovs8+kU39ZtyK++w8o3 pFUMWM5Eh73tpsrFT5p7DWui+9qU3mA/k+7rZgQOgVL2YL65Oe4cPdMSR54rEKCvNx94 TeZ2RRWBFDZ8y6oPlOlc2Et+dSDVErFGIyNH1X7yqQ1/7eiMMit2dHaUXSAWOgmSOSEM 3w3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ennOQKFOTwsP0hyLNdo0z1k0y6OG1jhsLXFhNIam/zE=; b=nb3KuW8SLMQBXRU6Hk9B9pyMGkht2m2/zhYp91PJX4siNf63WXERA7+x+QC9ZvX+C9 tOsbk1VznibgQqbwda4C62ycbsQMDHBSBP2H05EziRYHYiPY5hgwsNCobfSmfd2svTUv 7GfvowGQRuUrwEVndhYyvmnHAe7MZTJntspLOUo/y6tRJFk5D8ibq+RR5qq+B7kNJSCS c48KiC7vcVGjU6pHR3PY490tQaGfN39/D5UODbnr3+Djua8HjFBjKiYjoodbLur786ML Otsmx8Z+RFk0mFBIjhH6NGbOA4H783D1CPIPen801UiLp5L3iDE0w7wbcoS/m9KbshF3 8c9g== X-Gm-Message-State: ACrzQf0krztQA1CM2b0dLMUTBmq3Y4uE3cZjywvqGJaYWyxJvV+CtayG nkeK53Sx+AE61LjY/t07NQZaPzYxf6EOYcTzeNyoHLG00S8Ms0WNq6U= X-Received: by 2002:ac5:c981:0:b0:3b7:c85d:cfeb with SMTP id e1-20020ac5c981000000b003b7c85dcfebmr4176168vkm.30.1666942924249; Fri, 28 Oct 2022 00:42:04 -0700 (PDT) MIME-Version: 1.0 References: <20221024094853.2877441-1-yulei.sh@bytedance.com> In-Reply-To: From: Lei Yu Date: Fri, 28 Oct 2022 15:41:53 +0800 Message-ID: Subject: RE: [PATCH] usb: gadget: aspeed: fix buffer overflow To: Neal Liu Cc: Felipe Balbi , Greg Kroah-Hartman , Joel Stanley , Andrew Jeffery , Henry Tian , Jakob Koschel , "linux-usb@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , "linux-aspeed@lists.ozlabs.org" , "linux-kernel@vger.kernel.org" , Ryan Chen Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 28, 2022 at 2:59 PM Neal Liu wrote: > > Thanks for your feedback. > I tried to reproduce it on my side, and it cannot be reproduce it. > Here are my test sequences: > 1. emulate one of the vhub port to usb ethernet through Linux gadget (ncm= ) We are using rndis instead of ncm. > 2. connect BMC vhub to Host > 3. BMC & Host can ping each other (both usb eth dev default mtu is 1500) > 4. Set BMC mtu to 1000 (Host OS cannot set usb eth dev mtu to 2000, it's = maxmtu is 1500) Not sure if it's related, but in my case (USB rndis, Debian 10 OS) it should be able to set MTU to 2000. > 5. ping BMC with `s -1500` argument from Host OS > 6. BMC kernel no oops > > I dumped the `req` related members in ast_vhub_epn_handle_ack() to see if= whether the received data length exceeds the buffer length. > In my case `req.length` is 16384 bytes, so it never exceeds it in this ca= se. > I'm wondering what's the value of `req.length` in your test scenario? And= how can I reproduce it? The last 3 calls of ast_vhub_epn_handle_ack(): ast_vhub_epn_handle_ack=EF=BC=9Areq->last_desc=3D-1 req.actual=3D1024,req.length=3D1578,ep->ep.maxpacket=3D512 ast_vhub_epn_handle_ack=EF=BC=9Areq->last_desc=3D-1 req.actual=3D1536,req.length=3D1578,ep->ep.maxpacket=3D512 ast_vhub_epn_handle_ack=EF=BC=9Areq->last_desc=3D1 req.actual=3D1634,req.length=3D1578,ep->ep.maxpacket=3D512 We can see the last packet 1634 exceeds the req.legnth 1578, and that's when the buffer overflow occurs.