git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Dominique Martinet <asmadeus@codewreck.org>
	Sun, 22 Jun 2025 13:39:56 +0000 (22:39 +0900)
committer	Dominique Martinet <asmadeus@codewreck.org>
	Sat, 23 Aug 2025 06:34:46 +0000 (15:34 +0900)
commit	c04db81cd0288dfc68b7a0f7d09bd49b40bba451
tree	35a5a964dbc2f9810dfc5a2f547169737c2e38af	tree \| snapshot
parent	c667c54c5875bf57641cd3bedc2cae66f2f08854	commit \| diff

net/9p: Fix buffer overflow in USB transport layer

A buffer overflow vulnerability exists in the USB 9pfs transport layer
where inconsistent size validation between packet header parsing and
actual data copying allows a malicious USB host to overflow heap buffers.

The issue occurs because:
- usb9pfs_rx_header() validates only the declared size in packet header
- usb9pfs_rx_complete() uses req->actual (actual received bytes) for
memcpy

This allows an attacker to craft packets with small declared size
(bypassing validation) but large actual payload (triggering overflow
in memcpy).

Add validation in usb9pfs_rx_complete() to ensure req->actual does not
exceed the buffer capacity before copying data.

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Closes: https://lkml.kernel.org/r/20250616132539.63434-1-danisjiang@gmail.com
Fixes: a3be076dc174 ("net/9p/usbg: Add new usb gadget function transport")
Cc: stable@vger.kernel.org
Message-ID: <20250622-9p-usb_overflow-v3-1-ab172691b946@codewreck.org>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>