| Message ID | 20240316203354.81591-1-bazilevich@sicamp.ru |
|---|---|
| State | New |
| Headers | show |
| Series | usb: typec: anx7411: Fix possible buffer overflow in anx7411_send_msg() | expand |
Le 16/03/2024 à 21:33, Grigory Bazilevich a écrit : > Passing a size argument greater than or equal to MAX_BUF_LEN causes > a buffer overflow when the checksum is written. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support") > Signed-off-by: Grigory Bazilevich <bazilevich-vHv2KSI2GGSHXe+LvDLADg@public.gmane.org> > --- > drivers/usb/typec/anx7411.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/anx7411.c b/drivers/usb/typec/anx7411.c > index b12a07edc71b..70ba56dfb22b 100644 > --- a/drivers/usb/typec/anx7411.c > +++ b/drivers/usb/typec/anx7411.c > @@ -733,7 +733,7 @@ static int anx7411_send_msg(struct anx7411_data *ctx, u8 type, u8 *buf, u8 size) > u8 crc; > int ret; > > - size = min_t(u8, size, (u8)MAX_BUF_LEN); > + size = min_t(u8, size, (u8)(MAX_BUF_LEN - 1)); Hi, with "min_t(u8, ...", is the casting needed? CJ > memcpy(msg->buf, buf, size); > msg->msg_type = type; > /* msg len equals buffer length + msg_type */
Hi mrfoxygmfr, thanks for the fixing. Reviewed-by: Xin Ji <xji@analogixsemi.com> > -----Original Message----- > From: mrfoxygmfr@sicamp.ru <mrfoxygmfr@sicamp.ru> On Behalf Of Grigory > Bazilevich > Sent: Sunday, March 17, 2024 4:34 AM > To: Heikki Krogerus <heikki.krogerus@linux.intel.com>; Greg Kroah-Hartman > <gregkh@linuxfoundation.org>; Xin Ji <xji@analogixsemi.com> > Cc: Grigory Bazilevich <bazilevich@sicamp.ru>; linux-usb@vger.kernel.org; linux- > kernel@vger.kernel.org; lvc-project@linuxtesting.org > Subject: [PATCH] usb: typec: anx7411: Fix possible buffer overflow in > anx7411_send_msg() > > CAUTION: This email originated from outside of the organization. Please do not > click links or open attachments unless you recognize the sender, and know the > content is safe. > > > Passing a size argument greater than or equal to MAX_BUF_LEN causes a buffer > overflow when the checksum is written. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support") > Signed-off-by: Grigory Bazilevich <bazilevich@sicamp.ru> > --- > drivers/usb/typec/anx7411.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/anx7411.c b/drivers/usb/typec/anx7411.c index > b12a07edc71b..70ba56dfb22b 100644 > --- a/drivers/usb/typec/anx7411.c > +++ b/drivers/usb/typec/anx7411.c > @@ -733,7 +733,7 @@ static int anx7411_send_msg(struct anx7411_data *ctx, > u8 type, u8 *buf, u8 size) > u8 crc; > int ret; > > - size = min_t(u8, size, (u8)MAX_BUF_LEN); > + size = min_t(u8, size, (u8)(MAX_BUF_LEN - 1)); > memcpy(msg->buf, buf, size); > msg->msg_type = type; > /* msg len equals buffer length + msg_type */ > -- > 2.39.2
On Sat, Mar 16, 2024 at 11:33:53PM +0300, Grigory Bazilevich wrote: > Passing a size argument greater than or equal to MAX_BUF_LEN causes > a buffer overflow when the checksum is written. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support") > Signed-off-by: Grigory Bazilevich <bazilevich@sicamp.ru> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > --- > drivers/usb/typec/anx7411.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/anx7411.c b/drivers/usb/typec/anx7411.c > index b12a07edc71b..70ba56dfb22b 100644 > --- a/drivers/usb/typec/anx7411.c > +++ b/drivers/usb/typec/anx7411.c > @@ -733,7 +733,7 @@ static int anx7411_send_msg(struct anx7411_data *ctx, u8 type, u8 *buf, u8 size) > u8 crc; > int ret; > > - size = min_t(u8, size, (u8)MAX_BUF_LEN); > + size = min_t(u8, size, (u8)(MAX_BUF_LEN - 1)); > memcpy(msg->buf, buf, size); > msg->msg_type = type; > /* msg len equals buffer length + msg_type */ > -- > 2.39.2
diff --git a/drivers/usb/typec/anx7411.c b/drivers/usb/typec/anx7411.c index b12a07edc71b..70ba56dfb22b 100644 --- a/drivers/usb/typec/anx7411.c +++ b/drivers/usb/typec/anx7411.c @@ -733,7 +733,7 @@ static int anx7411_send_msg(struct anx7411_data *ctx, u8 type, u8 *buf, u8 size) u8 crc; int ret; - size = min_t(u8, size, (u8)MAX_BUF_LEN); + size = min_t(u8, size, (u8)(MAX_BUF_LEN - 1)); memcpy(msg->buf, buf, size); msg->msg_type = type; /* msg len equals buffer length + msg_type */
Passing a size argument greater than or equal to MAX_BUF_LEN causes a buffer overflow when the checksum is written. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support") Signed-off-by: Grigory Bazilevich <bazilevich@sicamp.ru> --- drivers/usb/typec/anx7411.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)