comedi: vmk80xx: fix transfer-buffer overflows
stable inclusion from stable-v4.19.217 commit 7a2021b896de1ad559d33b5c5cdd20b982242088 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RD17 CVE: CVE-2021-47475 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7a2021b896de1ad559d33b5c5cdd20b982242088 -------------------------------- commit a23461c4 upstream. The driver uses endpoint-sized USB transfer buffers but up until recently had no sanity checks on the sizes. Commit e1f13c87 ("staging: comedi: check validity of wMaxPacketSize of usb endpoints found") inadvertently fixed NULL-pointer dereferences when accessing the transfer buffers in case a malicious device has a zero wMaxPacketSize. Make sure to allocate buffers large enough to handle also the other accesses that are done without a size check (e.g. byte 18 in vmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond the buffers, for example, when doing descriptor fuzzing. The original driver was for a low-speed device with 8-byte buffers. Support was later added for a device that uses bulk transfers and is presumably a full-speed device with a maximum 64-byte wMaxPacketSize. Fixes: 985cafcc ("Staging: Comedi: vmk80xx: Add k8061 support") Cc: stable@vger.kernel.org # 2.6.31 Signed-off-by:Johan Hovold <johan@kernel.org> Reviewed-by:
Loading
Please sign in to comment