On 9/5/2019 7:24 AM, Andrey Konovalov wrote:
> On Thu, Sep 5, 2019 at 4:20 AM Hui Peng wrote:
>>
>> Can you guys have a look at the attached patch?
>
> Let's try it:
>
> #syz test: https://github.com/google/kasan.git eea39f24
>
> FYI: there are two mor
Can you guys have a look at the attached patch?
On 9/4/19 6:41 PM, Stephen Hemminger wrote:
> On Wed, 4 Sep 2019 16:27:50 -0400
> Hui Peng wrote:
>
>> Hi, all:
>>
>> I looked at the bug a little.
>>
>> The issue is that in the error handling c
Hi, all:
I looked at the bug a little.
The issue is that in the error handling code, hso_free_net_device
unregisters
the net_device (hso_net->net) by calling unregister_netdev. In the
error handling code path,
hso_net->net has not been registered yet.
I think there are two ways to solve the
On 9/1/19 9:00 AM, Salvatore Bonaccorso wrote:
> Hi Hui,
>
> On Fri, Aug 30, 2019 at 05:47:29PM -0400, Hui Peng wrote:
>> `check_input_term` recursively calls itself with input from
>> device side (e.g., uac_input_terminal_descriptor.bCSourceID)
>> as argument
On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote:
> On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote:
>> The `uac_mixer_unit_descriptor` shown as below is read from the
>> device side. In `parse_audio_mixer_unit`, `baSourceID` field is
>> accessed from index 0 to `bNrInP
On 8/31/19 2:18 PM, Guenter Roeck wrote:
> On Mon, Aug 19, 2019 at 06:02:29PM -0400, Hui Peng wrote:
>> `dev` (struct rsi_91x_usbdev *) field of adapter
>> (struct rsi_91x_usbdev *) is allocated and initialized in
>> `rsi_init_usb_interface`. If any error is detected in inf
[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
CVE: CVE-2018-15117
Reported-by: Hui Peng
Reported-by: Mathias Payer
Signed-off-by: Hui Peng
---
sound/usb/mixer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
stack overflow.
This patch fixes the bug by adding a bitmap to `struct mixer_build`
to keep track of the checked ids and stop the execution if some id
has been checked (similar to how parse_audio_unit handles unitid
argument).
CVE: CVE-2018-15118
Reported-by: Hui Peng
Reported-by: Mathias Payer
+0x816/0x14d0 kernel/workqueue.c:2153
worker_thread+0x9b/0xce0 kernel/workqueue.c:2296
kthread+0x33d/0x400 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
On 8/20/19 2:19 PM, Hui Peng wrote:
> In the while loop of technisat_usb2_get_ir, it scans through
> a fix
.
Reported-by: Hui Peng
Reported-by: Mathias Payer
Signed-off-by: Hui Peng
---
drivers/media/usb/dvb-usb/technisat-usb2.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c
b/drivers/media/usb/dvb-usb/technisat-usb2.c
index c659e18b358b
path, the `dev` field is not
(and thus needs to be) freed.
This bug was found in v4.19, but is also present in the latest version
of kernel.
Reported-by: Hui Peng
Reported-by: Mathias Payer
Signed-off-by: Hui Peng
---
drivers/net/wireless/rsi/rsi_91x_usb.c | 1 -
1 file changed, 1 deletion
-by: Hui Peng
Reported-by: Mathias Payer
Signed-off-by: Hui Peng
---
sound/usb/mixer.c | 25 ++---
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index b5927c3d5bc0..00e6274a63c3 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb
-by: Hui Peng
Reported-by: Mathias Payer
Signed-off-by: Hui Peng
---
sound/usb/mixer.c | 25 ++---
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index b5927c3d5bc0..00e6274a63c3 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb
feedback.
On 8/15/19 12:35 AM, Hui Peng wrote:
> `check_input_term` recursively calls itself with input
> from device side (e.g., uac_input_terminal_descriptor.bCSourceID)
> as argument (id). In `check_input_term`, if `check_input_term`
> is called with the same `id` argument a
stack overflow.
This patch fixes the bug by adding a bitmap to `struct mixer_build`
to keep track of the checked ids by `check_input_term` and stop
the execution if some id has been checked (similar to how
parse_audio_unit handles unitid argument).
Reported-by: Hui Peng
Reported-by: Mathias Payer
[];
}
```
This patch fixes the bug by add a sanity check on the length of
the descriptor.
Signed-off-by: Hui Peng
Reported-by: Hui Peng
Reported-by: Mathias Payer
---
sound/usb/mixer.c | 9 +
1 file changed, 9 insertions(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index
ot report complete addresses, it may trigger
NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and
`ath6kl_usb_free_urb_to_pipe`.
This patch fixes the bug by preventing potential NULL-ptr-deref.
Signed-off-by: Hui Peng
Reported-by: Hui Peng
Reported-by: Mathias Payer
---
drivers/net/wireless/at
17 matches
Mail list logo