USB: gadget: fix illegal array access in binding with UDC
Kyungtae Kim authored
commit 15753588 upstream.

FuzzUSB (a variant of syzkaller) found an illegal array access
using an incorrect index while binding a gadget with UDC.

Reference: https://www.spinics.net/lists/linux-usb/msg194331.html

This bug occurs when a size variable used for a buffer
is misused to access its strcpy-ed buffer.
Given a buffer along with its size variable (taken from user input),
from which, a new buffer is created using kstrdup().
Due to the original buffer containing 0 value in the middle,
the size of the kstrdup-ed buffer becomes smaller than that of the original.
So accessing the kstrdup-ed buffer with the same size variable
triggers memory access violation.

The fix makes sure no zero value in the buffer,
by comparing the strlen() of the orignal buffer with the size variable,
so that the access to the kstrdup-ed buffer is safe.

BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200
drivers/usb/...
6bb054f0
Name Last commit Last update
Documentation USB: hub: Revert commit bd0e6c96 ("usb: hub: try old enumeration scheme first for high speed devices")
LICENSES LICENSES: Rename other to deprecated
arch arm64: fix the flush_icache_range arguments in machine_kexec
block iocost: protect iocg->abs_vdebt with iocg->waitq.lock
certs PKCS#7: Refactor verify_pkcs7_signature()
crypto gcc-10: avoid shadowing standard library 'free()' in crypto
drivers USB: gadget: fix illegal array access in binding with UDC
fs NFSv3: fix rpc receive buffer size for MOUNT call
include ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
init gcc-10: mark more functions __init to avoid section mismatch warnings
ipc ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
kernel Stop the ad-hoc games with -Wno-maybe-initialized
lib lib: devres: add a helper function for ioremap_uc
mm shmem: fix possible deadlocks on shmlock_user_lock
net net/rds: Use ERR_PTR for rds_message_alloc_sgs()
samples vmalloc: fix remap_vmalloc_range() bounds checks
scripts scripts/decodecode: fix trapping instruction formatting
security selinux: properly handle multiple messages in selinux_netlink_send()
sound ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset
tools selftests/ftrace: Check the first record for kprobe_args_type.tc
usr initramfs: restore default compression behavior
virt KVM: arm: vgic: Synchronize the whole guest on GIC{D,R}_I{S,C}ACTIVER read
.clang-format clang-format: Update with the latest for_each macro list
.cocciconfig scripts: add Linux .cocciconfig for coccinelle
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl
.gitattributes .gitattributes: set git diff driver for C source code files
.gitignore Merge tag 'modules-for-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux
.mailmap Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
COPYING COPYING: use the new text with points to the license files
CREDITS MAINTAINERS: Remove Simon as Renesas SoC Co-Maintainer
Kbuild kbuild: do not descend to ./Kbuild when cleaning
Kconfig docs: kbuild: convert docs to ReST and rename to *.rst
MAINTAINERS MAINTAINERS: Update drm/i915 bug filing URL
Makefile gcc-10: disable 'restrict' warning for now
README Drop all 00-INDEX files from Documentation/
Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.