mirror of https://github.com/torvalds/linux.git
afb8e24652
aqc111_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular: - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips. - A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by a cloned SKB that has already been handed off into the network stack. - A packet SKB can be constructed whose tail is far beyond its end, causing out-of-bounds heap data to be considered part of the SKB's data. Found doing variant analysis. Tested it with another driver (ax88179_178a), since I don't have a aqc111 device to test it, but the code looks very similar. Signed-off-by: Marcin Kozlowski <marcinguy@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| aqc111.c | ||
| aqc111.h | ||
| asix.h | ||
| asix_common.c | ||
| asix_devices.c | ||
| ax88172a.c | ||
| ax88179_178a.c | ||
| catc.c | ||
| cdc-phonet.c | ||
| cdc_eem.c | ||
| cdc_ether.c | ||
| cdc_mbim.c | ||
| cdc_ncm.c | ||
| cdc_subset.c | ||
| ch9200.c | ||
| cx82310_eth.c | ||
| dm9601.c | ||
| gl620a.c | ||
| hso.c | ||
| huawei_cdc_ncm.c | ||
| int51x1.c | ||
| ipheth.c | ||
| kalmia.c | ||
| kaweth.c | ||
| lan78xx.c | ||
| lan78xx.h | ||
| lg-vl600.c | ||
| mcs7830.c | ||
| net1080.c | ||
| pegasus.c | ||
| pegasus.h | ||
| plusb.c | ||
| qmi_wwan.c | ||
| r8152.c | ||
| r8153_ecm.c | ||
| rndis_host.c | ||
| rtl8150.c | ||
| sierra_net.c | ||
| smsc75xx.c | ||
| smsc75xx.h | ||
| smsc95xx.c | ||
| smsc95xx.h | ||
| sr9700.c | ||
| sr9700.h | ||
| sr9800.c | ||
| sr9800.h | ||
| usbnet.c | ||
| zaurus.c | ||