USB: yurex: fix out-of-bounds uaccess in read handler (f1e255d6) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_torvalds_linux

Commit f1e255d6 authored Jul 06, 2018 by

Jann Horn Committed by Greg Kroah-Hartman Jul 06, 2018

USB: yurex: fix out-of-bounds uaccess in read handler

In general, accessing userspace memory beyond the length of the supplied
buffer in VFS read/write handlers can lead to both kernel memory corruption
(via kernel_read()/kernel_write(), which can e.g. be triggered via
sys_splice()) and privilege escalation inside userspace.

Fix it by using simple_read_from_buffer() instead of custom logic.

Fixes: 6bc235a2

 ("USB: add driver for Meywa-Denki & Kayac YUREX")
Signed-off-by: Jann Horn <jannh@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent bba57edd

Hide whitespace changes

Inline Side-by-side

Please register or to comment