| From 78cdfd62bd54af615fba9e3ca1ba35de39d3871d Mon Sep 17 00:00:00 2001 |
| From: Johan Hovold <johan@kernel.org> |
| Date: Mon, 25 Oct 2021 13:45:31 +0200 |
| Subject: comedi: vmk80xx: fix bulk-buffer overflow |
| |
| From: Johan Hovold <johan@kernel.org> |
| |
| commit 78cdfd62bd54af615fba9e3ca1ba35de39d3871d upstream. |
| |
| The driver is using endpoint-sized buffers but must not assume that the |
| tx and rx buffers are of equal size or a malicious device could overflow |
| the slab-allocated receive buffer when doing bulk transfers. |
| |
| Fixes: 985cafccbf9b ("Staging: Comedi: vmk80xx: Add k8061 support") |
| Cc: stable@vger.kernel.org # 2.6.31 |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Reviewed-by: Ian Abbott <abbotti@mev.co.uk> |
| Link: https://lore.kernel.org/r/20211025114532.4599-5-johan@kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/staging/comedi/drivers/vmk80xx.c | 16 +++++++--------- |
| 1 file changed, 7 insertions(+), 9 deletions(-) |
| |
| --- a/drivers/staging/comedi/drivers/vmk80xx.c |
| +++ b/drivers/staging/comedi/drivers/vmk80xx.c |
| @@ -168,22 +168,20 @@ static void vmk80xx_do_bulk_msg(struct c |
| __u8 rx_addr; |
| unsigned int tx_pipe; |
| unsigned int rx_pipe; |
| - size_t size; |
| + size_t tx_size; |
| + size_t rx_size; |
| |
| tx_addr = devpriv->ep_tx->bEndpointAddress; |
| rx_addr = devpriv->ep_rx->bEndpointAddress; |
| tx_pipe = usb_sndbulkpipe(usb, tx_addr); |
| rx_pipe = usb_rcvbulkpipe(usb, rx_addr); |
| - |
| - /* |
| - * The max packet size attributes of the K8061 |
| - * input/output endpoints are identical |
| - */ |
| - size = usb_endpoint_maxp(devpriv->ep_tx); |
| + tx_size = usb_endpoint_maxp(devpriv->ep_tx); |
| + rx_size = usb_endpoint_maxp(devpriv->ep_rx); |
| |
| usb_bulk_msg(usb, tx_pipe, devpriv->usb_tx_buf, |
| - size, NULL, devpriv->ep_tx->bInterval); |
| - usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, size, NULL, HZ * 10); |
| + tx_size, NULL, devpriv->ep_tx->bInterval); |
| + |
| + usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, rx_size, NULL, HZ * 10); |
| } |
| |
| static int vmk80xx_read_packet(struct comedi_device *dev) |