From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 22 Sep 2017 20:43:46 +0000 (+0300)
Subject: USB: devio: Don't corrupt user memory
X-Git-Tag: v4.4.92~35
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b74a45450f80a56a3aca515dd147bd95b18394bf;p=thirdparty%2Fkernel%2Fstable.git

USB: devio: Don't corrupt user memory

commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream.

The user buffer has "uurb->buffer_length" bytes.  If the kernel has more
information than that, we should truncate it instead of writing past
the end of the user's buffer.  I added a WARN_ONCE() to help the user
debug the issue.

Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 873ba02d59e69..bd9419213d060 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1417,7 +1417,11 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
 			totlen += isopkt[u].length;
 		}
 		u *= sizeof(struct usb_iso_packet_descriptor);
-		uurb->buffer_length = totlen;
+		if (totlen <= uurb->buffer_length)
+			uurb->buffer_length = totlen;
+		else
+			WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
+				  totlen, uurb->buffer_length);
 		break;
 
 	default: