Am Mittwoch, den 14.08.2019, 04:38 -0700 schrieb syzbot: > Hello, > > syzbot found the following crash on: > > HEAD commit: d0847550 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=16295d4a600000 > kernel config: https://syzkaller.appspot.com/x/.config?x=dbc9c80cc095da19 > dashboard link: https://syzkaller.appspot.com/bug?extid=55b0304b360654a7537b > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1288a31c600000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15282e86600000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+55b0304b360654a75...@syzkaller.appspotmail.com
#syz test: https://github.com/google/kasan.git d0847550 >From df64f5cd2e6a9b43c75bb7e3276b8805a225db75 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneu...@suse.com> Date: Wed, 14 Aug 2019 15:21:41 +0200 Subject: [PATCH] usbtmc: more sanity checking for packet size A malicious device can make the driver divide ny zero with a nonsense maximum packet size. V2: return a sensible error code SIgned-off-by: Oliver Neukum <oneu...@suse.com> --- drivers/usb/class/usbtmc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c index 4942122b2346..36858ddd8d9b 100644 --- a/drivers/usb/class/usbtmc.c +++ b/drivers/usb/class/usbtmc.c @@ -2362,8 +2362,11 @@ static int usbtmc_probe(struct usb_interface *intf, goto err_put; } + retcode = -EINVAL; data->bulk_in = bulk_in->bEndpointAddress; data->wMaxPacketSize = usb_endpoint_maxp(bulk_in); + if (!data->wMaxPacketSize) + goto err_put; dev_dbg(&intf->dev, "Found bulk in endpoint at %u\n", data->bulk_in); data->bulk_out = bulk_out->bEndpointAddress; -- 2.16.4
