mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
36 lines
1.4 KiB
Diff
36 lines
1.4 KiB
Diff
|
From 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
|
Date: Tue, 6 Dec 2016 08:36:29 +0100
|
||
|
|
Subject: [PATCH] usb: gadgetfs: restrict upper bound on device configuration
|
||
|
|
size
|
||
|
|
|
||
|
|
Andrey Konovalov reported that we were not properly checking the upper
|
||
|
|
limit before of a device configuration size before calling
|
||
|
|
memdup_user(), which could cause some problems.
|
||
|
|
|
||
|
|
So set the upper limit to PAGE_SIZE * 4, which should be good enough for
|
||
|
|
all devices.
|
||
|
|
|
||
|
|
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||
|
|
Cc: stable <stable@vger.kernel.org>
|
||
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
|
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
|
||
|
|
---
|
||
|
|
drivers/usb/gadget/legacy/inode.c | 3 ++-
|
||
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
|
||
|
|
index e8f4102d19df5..48f1409b438ad 100644
|
||
|
|
--- a/drivers/usb/gadget/legacy/inode.c
|
||
|
|
+++ b/drivers/usb/gadget/legacy/inode.c
|
||
|
|
@@ -1762,7 +1762,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
|
||
|
|
}
|
||
|
|
spin_unlock_irq(&dev->lock);
|
||
|
|
|
||
|
|
- if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
|
||
|
|
+ if ((len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) ||
|
||
|
|
+ (len > PAGE_SIZE * 4))
|
||
|
|
return -EINVAL;
|
||
|
|
|
||
|
|
/* we might need to change message format someday */
|