Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

On Thu, Sep 21, 2017 at 4:07 PM, Greg Kroah-Hartman wrote: > On Thu, Sep 21, 2017 at 03:51:44PM +0200, Andrey Konovalov wrote: >> On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman >> wrote: >> > On Thu, Sep 21, 2017 at 09:31:54AM +0200,

Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

On Thu, Sep 21, 2017 at 03:51:44PM +0200, Andrey Konovalov wrote: > On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman > wrote: > > On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote: > >> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov

Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman wrote: > On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote: >> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote: >> > Hi! >> > >> > I've got the following crash while fuzzing the

Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote: > On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote: > > Hi! > > > > I've got the following crash while fuzzing the kernel with syzkaller. > > > > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). > >

Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote: > Hi! > > I've got the following crash while fuzzing the kernel with syzkaller. > > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). > > It looks like cdc_parse_cdc_header() doesn't validate buflen before > accessing

usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

Hi! I've got the following crash while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). It looks like cdc_parse_cdc_header() doesn't validate buflen before accessing buffer[1], buffer[2] and so on. The only check present is while (buflen > 0).