git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jann Horn <jannh@google.com>
	Wed, 12 Feb 2025 18:15:15 +0000 (19:15 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 21 Feb 2025 12:50:03 +0000 (13:50 +0100)
commit	7828e9363ac4d23b02419bf2a45b9f1d9fb35646
tree	7e417cb15720c99e86c2206d1f1b3a22b1cbe672	tree \| snapshot
parent	fd128ae741e8aa7d1b54f9cc875a031a6b4bbc75	commit \| diff

usb: cdc-acm: Check control transfer buffer size before access

commit e563b01208f4d1f609bcab13333b6c0e24ce6a01 upstream.

If the first fragment is shorter than struct usb_cdc_notification, we can't
calculate an expected_size. Log an error and discard the notification
instead of reading lengths from memory outside the received data, which can
lead to memory corruption when the expected_size decreases between
fragments, causing `expected_size - acm->nb_index` to wrap.

This issue has been present since the beginning of git history; however,
it only leads to memory corruption since commit ea2583529cd1
("cdc-acm: reassemble fragmented notifications").

A mitigating factor is that acm_ctrl_irq() can only execute after userspace
has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will
do that automatically depending on the USB device's vendor/product IDs and
its other interfaces.

Cc: stable <stable@kernel.org>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>