Skip to content

Commit f1e255d

Browse files
thejhgregkh
authored andcommitted
USB: yurex: fix out-of-bounds uaccess in read handler
In general, accessing userspace memory beyond the length of the supplied buffer in VFS read/write handlers can lead to both kernel memory corruption (via kernel_read()/kernel_write(), which can e.g. be triggered via sys_splice()) and privilege escalation inside userspace. Fix it by using simple_read_from_buffer() instead of custom logic. Fixes: 6bc235a ("USB: add driver for Meywa-Denki & Kayac YUREX") Signed-off-by: Jann Horn <jannh@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent bba57ed commit f1e255d

File tree

1 file changed

+6
-17
lines changed

1 file changed

+6
-17
lines changed

Diff for: drivers/usb/misc/yurex.c

+6-17
Original file line numberDiff line numberDiff line change
@@ -396,35 +396,24 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
396396
loff_t *ppos)
397397
{
398398
struct usb_yurex *dev;
399-
int retval = 0;
400-
int bytes_read = 0;
399+
int len = 0;
401400
char in_buffer[20];
402401
unsigned long flags;
403402

404403
dev = file->private_data;
405404

406405
mutex_lock(&dev->io_mutex);
407406
if (!dev->interface) { /* already disconnected */
408-
retval = -ENODEV;
409-
goto exit;
407+
mutex_unlock(&dev->io_mutex);
408+
return -ENODEV;
410409
}
411410

412411
spin_lock_irqsave(&dev->lock, flags);
413-
bytes_read = snprintf(in_buffer, 20, "%lld\n", dev->bbu);
412+
len = snprintf(in_buffer, 20, "%lld\n", dev->bbu);
414413
spin_unlock_irqrestore(&dev->lock, flags);
415-
416-
if (*ppos < bytes_read) {
417-
if (copy_to_user(buffer, in_buffer + *ppos, bytes_read - *ppos))
418-
retval = -EFAULT;
419-
else {
420-
retval = bytes_read - *ppos;
421-
*ppos += bytes_read;
422-
}
423-
}
424-
425-
exit:
426414
mutex_unlock(&dev->io_mutex);
427-
return retval;
415+
416+
return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
428417
}
429418

430419
static ssize_t yurex_write(struct file *file, const char __user *user_buffer,

0 commit comments

Comments
 (0)