Re: net/gadget: slab-out-of-bounds write in dev_config

Hi, Alan Stern writes: >> > Index: usb-4.x/drivers/usb/gadget/legacy/inode.c >> > === >> > --- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c >> > +++ usb-4.x/drivers/usb/gadget/legacy/inode.c >> > @@

Re: net/gadget: slab-out-of-bounds write in dev_config

On Tue, 27 Dec 2016, Felipe Balbi wrote: > > Hi, > > Alan Stern writes: > > On Tue, 6 Dec 2016, Andrey Konovalov wrote: > > > >> Hi! > >> > >> I've got the following error report while running the syzkaller fuzzer. > >> > >> ep0_write() doesn't check the length, so

Re: net/gadget: slab-out-of-bounds write in dev_config

Hi, Alan Stern writes: > On Tue, 6 Dec 2016, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> ep0_write() doesn't check the length, so a user can cause an >> out-of-bounds with both size and data

Re: net/gadget: slab-out-of-bounds write in dev_config

On Tue, Dec 6, 2016 at 4:30 PM, Alan Stern wrote: > On Tue, 6 Dec 2016, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> ep0_write() doesn't check the length, so a user can cause an >> out-of-bounds

Re: net/gadget: slab-out-of-bounds write in dev_config

On Tue, 6 Dec 2016, Andrey Konovalov wrote: > Hi! > > I've got the following error report while running the syzkaller fuzzer. > > ep0_write() doesn't check the length, so a user can cause an > out-of-bounds with both size and data controlled. > There's a comment which says "IN DATA+STATUS

net/gadget: slab-out-of-bounds write in dev_config

Hi! I've got the following error report while running the syzkaller fuzzer. ep0_write() doesn't check the length, so a user can cause an out-of-bounds with both size and data controlled. There's a comment which says "IN DATA+STATUS caller makes len <= wLength". While I'm not exactly sure what