queue/USB-cdc-wdm-fix-buffer-overflow.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-2.6.34 - Git at Google

 From 126a16920a646521f9deeea090d0673cb5ca88f1 Mon Sep 17 00:00:00 2001
 From: Oliver Neukum <oneukum@suse.de>
 Date: Tue, 12 Mar 2013 14:52:42 +0100
 Subject: [PATCH] USB: cdc-wdm: fix buffer overflow

 commit c0f5ecee4e741667b2493c742b60b6218d40b3aa upstream.

 The buffer for responses must not overflow.
 If this would happen, set a flag, drop the data and return
 an error after user space has read all remaining data.

 Signed-off-by: Oliver Neukum <oliver@neukum.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 [PG: minor adjustment since RESET from 880442027569 isn't in .34]
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
 ---
  drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
  1 file changed, 20 insertions(+), 3 deletions(-)

 diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
 index 189141ca4e05..ce1af28e54ff 100644
 --- a/drivers/usb/class/cdc-wdm.c
 +++ b/drivers/usb/class/cdc-wdm.c
 @@ -54,6 +54,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
  #define WDM_POLL_RUNNING	6
  #define WDM_RESPONDING		7
  #define WDM_SUSPENDING		8
 +#define WDM_OVERFLOW		10

  #define WDM_MAX			16

 @@ -114,6 +115,7 @@ static void wdm_in_callback(struct urb *urb)
  {
  	struct wdm_device *desc = urb->context;
  	int status = urb->status;
 +	int length = urb->actual_length;

  	spin_lock(&desc->iuspin);
  	clear_bit(WDM_RESPONDING, &desc->flags);
 @@ -144,9 +146,17 @@ static void wdm_in_callback(struct urb *urb)
  	}

  	desc->rerr = status;
 -	desc->reslength = urb->actual_length;
 -	memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
 -	desc->length += desc->reslength;
 +	if (length + desc->length > desc->wMaxCommand) {
 +		/* The buffer would overflow */
 +		set_bit(WDM_OVERFLOW, &desc->flags);
 +	} else {
 +		/* we may already be in overflow */
 +		if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
 +			memmove(desc->ubuf + desc->length, desc->inbuf, length);
 +			desc->length += length;
 +			desc->reslength = length;
 +		}
 +	}
  skip_error:
  	wake_up(&desc->wait);

 @@ -410,6 +420,11 @@ retry:
  			rv = -ENODEV;
  			goto err;
  		}
 +		if (test_bit(WDM_OVERFLOW, &desc->flags)) {
 +			clear_bit(WDM_OVERFLOW, &desc->flags);
 +			rv = -ENOBUFS;
 +			goto err;
 +		}
  		i++;
  		if (file->f_flags & O_NONBLOCK) {
  			if (!test_bit(WDM_READ, &desc->flags)) {
 @@ -449,6 +464,7 @@ retry:
  			spin_unlock_irq(&desc->iuspin);
  			goto retry;
  		}
 +
  		if (!desc->reslength) { /* zero length read */
  			spin_unlock_irq(&desc->iuspin);
  			goto retry;
 @@ -860,6 +876,7 @@ static int wdm_post_reset(struct usb_interface *intf)
  	struct wdm_device *desc = usb_get_intfdata(intf);
  	int rv;

 +	clear_bit(WDM_OVERFLOW, &desc->flags);
  	rv = recover_from_urb_loss(desc);
  	mutex_unlock(&desc->lock);
  	return 0;
 --
 1.8.5.2
	From 126a16920a646521f9deeea090d0673cb5ca88f1 Mon Sep 17 00:00:00 2001
	From: Oliver Neukum <oneukum@suse.de>
	Date: Tue, 12 Mar 2013 14:52:42 +0100
	Subject: [PATCH] USB: cdc-wdm: fix buffer overflow

	commit c0f5ecee4e741667b2493c742b60b6218d40b3aa upstream.

	The buffer for responses must not overflow.
	If this would happen, set a flag, drop the data and return
	an error after user space has read all remaining data.

	Signed-off-by: Oliver Neukum <oliver@neukum.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	[PG: minor adjustment since RESET from 880442027569 isn't in .34]
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
	---
	drivers/usb/class/cdc-wdm.c \| 23 ++++++++++++++++++++---
	1 file changed, 20 insertions(+), 3 deletions(-)

	diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
	index 189141ca4e05..ce1af28e54ff 100644
	--- a/drivers/usb/class/cdc-wdm.c
	+++ b/drivers/usb/class/cdc-wdm.c
	@@ -54,6 +54,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
	#define WDM_POLL_RUNNING 6
	#define WDM_RESPONDING 7
	#define WDM_SUSPENDING 8
	+#define WDM_OVERFLOW 10

	#define WDM_MAX 16

	@@ -114,6 +115,7 @@ static void wdm_in_callback(struct urb *urb)
	{
	struct wdm_device *desc = urb->context;
	int status = urb->status;
	+ int length = urb->actual_length;

	spin_lock(&desc->iuspin);
	clear_bit(WDM_RESPONDING, &desc->flags);
	@@ -144,9 +146,17 @@ static void wdm_in_callback(struct urb *urb)
	}

	desc->rerr = status;
	- desc->reslength = urb->actual_length;
	- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
	- desc->length += desc->reslength;
	+ if (length + desc->length > desc->wMaxCommand) {
	+ /* The buffer would overflow */
	+ set_bit(WDM_OVERFLOW, &desc->flags);
	+ } else {
	+ /* we may already be in overflow */
	+ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
	+ memmove(desc->ubuf + desc->length, desc->inbuf, length);
	+ desc->length += length;
	+ desc->reslength = length;
	+ }
	+ }
	skip_error:
	wake_up(&desc->wait);

	@@ -410,6 +420,11 @@ retry:
	rv = -ENODEV;
	goto err;
	}
	+ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
	+ clear_bit(WDM_OVERFLOW, &desc->flags);
	+ rv = -ENOBUFS;
	+ goto err;
	+ }
	i++;
	if (file->f_flags & O_NONBLOCK) {
	if (!test_bit(WDM_READ, &desc->flags)) {
	@@ -449,6 +464,7 @@ retry:
	spin_unlock_irq(&desc->iuspin);
	goto retry;
	}
	+
	if (!desc->reslength) { /* zero length read */
	spin_unlock_irq(&desc->iuspin);
	goto retry;
	@@ -860,6 +876,7 @@ static int wdm_post_reset(struct usb_interface *intf)
	struct wdm_device *desc = usb_get_intfdata(intf);
	int rv;

	+ clear_bit(WDM_OVERFLOW, &desc->flags);
	rv = recover_from_urb_loss(desc);
	mutex_unlock(&desc->lock);
	return 0;
	--
	1.8.5.2