comedi: vmk80xx: fix bulk-buffer overflow

stable inclusion from stable-5.10.79 commit b7fd7f3387f070215e6be341e68eb5c087eeecc0 bugzilla: 185793 https://gitee.com/openeuler/kernel/issues/I4K65C Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b7fd7f3387f070215e6be341e68eb5c087eeecc0 -------------------------------- commit 78cdfd62 upstream. The driver is using endpoint-sized buffers but must not assume that the tx and rx buffers are of equal size or a malicious device could overflow the slab-allocated receive buffer when doing bulk transfers. Fixes: 985cafcc ("Staging: Comedi: vmk80xx: Add k8061 support") Cc: stable@vger.kernel.org # 2.6.31 Signed-off-by: N Johan Hovold <johan@kernel.org> Reviewed-by: N Ian Abbott <abbotti@mev.co.uk> Link: https://lore.kernel.org/r/20211025114532.4599-5-johan@kernel.orgSigned-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Weilong Chen <chenweilong@huawei.com> Signed-off-by: N Bin Li <huawei.libin@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

comedi: vmk80xx: fix bulk-buffer overflow
stable inclusion from stable-5.10.79 commit b7fd7f3387f070215e6be341e68eb5c087eeecc0 bugzilla: 185793 https://gitee.com/openeuler/kernel/issues/I4K65C Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b7fd7f3387f070215e6be341e68eb5c087eeecc0 -------------------------------- commit 78cdfd62 upstream. The driver is using endpoint-sized buffers but must not assume that the tx and rx buffers are of equal size or a malicious device could overflow the slab-allocated receive buffer when doing bulk transfers. Fixes: 985cafcc ("Staging: Comedi: vmk80xx: Add k8061 support") Cc: stable@vger.kernel.org # 2.6.31 Signed-off-by: N Johan Hovold <johan@kernel.org> Reviewed-by: N Ian Abbott <abbotti@mev.co.uk> Link: https://lore.kernel.org/r/20211025114532.4599-5-johan@kernel.orgSigned-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Weilong Chen <chenweilong@huawei.com> Signed-off-by: N Bin Li <huawei.libin@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
79067df9 · Johan Hovold · Zheng Zengkai · 87b35b57 · 79067df9
隐藏空白更改
内联并排

Showing with 7 addition and 9 deletion

drivers/staging/comedi/drivers/vmk80xx.c drivers/staging/comedi/drivers/vmk80xx.c +7 -9

未找到文件。
--- a/drivers/staging/comedi/drivers/vmk80xx.c
+++ b/drivers/staging/comedi/drivers/vmk80xx.c
@@ -159,22 +159,20 @@ static void vmk80xx_do_bulk_msg(struct comedi_device *dev)
 	__u8 rx_addr;
 	unsigned int tx_pipe;
 	unsigned int rx_pipe;
-	size_t size;
+	size_t tx_size;
+	size_t rx_size;

 	tx_addr = devpriv->ep_tx->bEndpointAddress;
 	rx_addr = devpriv->ep_rx->bEndpointAddress;
 	tx_pipe = usb_sndbulkpipe(usb, tx_addr);
 	rx_pipe = usb_rcvbulkpipe(usb, rx_addr);
-
-	/*
-	 * The max packet size attributes of the K8061
-	 * input/output endpoints are identical
-	 */
-	size = usb_endpoint_maxp(devpriv->ep_tx);
+	tx_size = usb_endpoint_maxp(devpriv->ep_tx);
+	rx_size = usb_endpoint_maxp(devpriv->ep_rx);

 	usb_bulk_msg(usb, tx_pipe, devpriv->usb_tx_buf,
-		     size, NULL, devpriv->ep_tx->bInterval);
-	usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, size, NULL, HZ * 10);
+		     tx_size, NULL, devpriv->ep_tx->bInterval);
+
+	usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, rx_size, NULL, HZ * 10);
 }

 static int vmk80xx_read_packet(struct comedi_device *dev)