kernel_optimize_test/drivers/usb/usbip
Shuah Khan (Samsung OSG) 81f7567c51 usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control()
vhci_hub_control() accesses port_status array with out of bounds port
value. Fix it to reference port_status[] only with a valid rhport value
when invalid_rhport flag is true.

The invalid_rhport flag is set early on after detecting in port value
is within the bounds or not.

The following is used reproduce the problem and verify the fix:
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14ed8ab6400000

Reported-by: syzbot+bccc1fe10b70fadc78d0@syzkaller.appspotmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-09 16:13:42 +02:00
..
Kconfig usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS 2018-03-09 09:16:18 -08:00
Makefile
README
stub_dev.c usbip: usbip_host: fix NULL-ptr deref and use-after-free errors 2018-05-15 09:52:02 +02:00
stub_main.c usbip: usbip_host: fix bad unlock balance during stub_probe() 2018-05-16 18:52:13 +02:00
stub_rx.c
stub_tx.c
stub.h usbip: usbip_host: fix NULL-ptr deref and use-after-free errors 2018-05-15 09:52:02 +02:00
usbip_common.c Merge 4.15-rc8 into usb-next 2018-01-15 15:00:11 +01:00
usbip_common.h usbip: vhci_hcd: Fix usb device and sockfd leaks 2018-04-22 14:45:11 +02:00
usbip_event.c usbip: usbip_event: fix to not print kernel pointer address 2018-04-22 14:45:12 +02:00
vhci_hcd.c usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control() 2018-10-09 16:13:42 +02:00
vhci_rx.c usbip: vhci: fix spelling mistake: "synchronuously" -> "synchronously" 2018-01-04 17:05:55 +01:00
vhci_sysfs.c usbip: vhci_sysfs: fix potential Spectre v1 2018-05-24 18:14:28 +02:00
vhci_tx.c
vhci.h
vudc_dev.c usb: usbip: remove redundant pointer ep 2018-07-13 15:41:55 +02:00
vudc_main.c
vudc_rx.c usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input 2018-01-04 17:07:26 +01:00
vudc_sysfs.c usbip: vudc: fix null pointer dereference on udc->lock 2018-03-09 10:01:07 -08:00
vudc_transfer.c
vudc_tx.c usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer 2018-01-04 17:07:27 +01:00
vudc.h

TODO:
	- more discussion about the protocol
	- testing
	- review of the userspace interface
	- document the protocol

Please send patches for this code to Greg Kroah-Hartman <greg@kroah.com>