USB: devio: Don't corrupt user memory

The user buffer has "uurb->buffer_length" bytes. If the kernel has more information than that, we should truncate it instead of writing past the end of the user's buffer. I added a WARN_ONCE() to help the user debug the issue. Reported-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable <stable@vger.kernel.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2017-09-22 23:43:46 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-09-25 10:57:13 +0200
commit: fa1ed74eb1c233be6131ec92df21ab46499a15b6 (patch)
tree: 8f45e2a37fbbe8bbdf9825c6ebe5974d29e304f0
parent: 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 (diff)
download: linux-fa1ed74eb1c233be6131ec92df21ab46499a15b6.tar.bz2
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index e9326f31db8d..4664e543cf2f 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1576,7 +1576,11 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
 			totlen += isopkt[u].length;
 		}
 		u *= sizeof(struct usb_iso_packet_descriptor);
-		uurb->buffer_length = totlen;
+		if (totlen <= uurb->buffer_length)
+			uurb->buffer_length = totlen;
+		else
+			WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
+				  totlen, uurb->buffer_length);
 		break;
 
 	default:
author	Dan Carpenter <dan.carpenter@oracle.com>	2017-09-22 23:43:46 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-09-25 10:57:13 +0200
commit	fa1ed74eb1c233be6131ec92df21ab46499a15b6 (patch)
tree	8f45e2a37fbbe8bbdf9825c6ebe5974d29e304f0
parent	57999d1107c1e60c2ca7088f2ac0f819e2f554b3 (diff)
download	linux-fa1ed74eb1c233be6131ec92df21ab46499a15b6.tar.bz2