Commit e7512460 authored Aug 16, 2024 by Lee Jones Committed by Zeng Heng Aug 16, 2024

usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()

mainline inclusion
from mainline-v6.10
commit 6d3c721e686ea6c59e18289b400cc95c76e927e0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAILHF
CVE: CVE-2024-42236

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d3c721e686ea6c59e18289b400cc95c76e927e0



--------------------------------

Userspace provided string 's' could trivially have the length zero. Left
unchecked this will firstly result in an OOB read in the form
`if (str[0 - 1] == '\n') followed closely by an OOB write in the form
`str[0 - 1] = '\0'`.

There is already a validating check to catch strings that are too long.
Let's supply an additional check for invalid strings that are too short.

Signed-off-by: Lee Jones <lee@kernel.org>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20240705074339.633717-1-lee@kernel.org


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: dengquan <dengquan9@huawei.com>

parent b64d0f05

drivers/usb/gadget/configfs.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -104,9 +104,12 @@ static int usb_string_copy(const char s, char *s_copy)
		int ret;
		char *str;
		char copy = s_copy;

		ret = strlen(s);
		if (ret > USB_MAX_STRING_LEN)
		return -EOVERFLOW;
		if (ret < 1)
		return -EINVAL;

		if (copy) {
		str = copy;