linux

mirror of https://github.com/torvalds/linux.git synced 2024-11-14 16:12:02 +00:00

History

Kees Cook ce33e64c17 USB: ene_usb6250: Allocate enough memory for full object The allocation of PageBuffer is 512 bytes in size, but the dereferencing of struct ms_bootblock_idi (also size 512) happens at a calculated offset within the allocation, which means the object could potentially extend beyond the end of the allocation. Avoid this case by just allocating enough space to catch any accesses beyond the end. Seen with GCC 13: ../drivers/usb/storage/ene_ub6250.c: In function 'ms_lib_process_bootblock': ../drivers/usb/storage/ene_ub6250.c:1050:44: warning: array subscript 'struct ms_bootblock_idi[0]' is partly outside array bounds of 'unsigned char[512]' [-Warray-bounds=] 1050 \| if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF) \| ^~ ../include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu' 37 \| #define __le16_to_cpu(x) ((__force __u16)(__le16)(x)) \| ^ ../drivers/usb/storage/ene_ub6250.c:1050:29: note: in expansion of macro 'le16_to_cpu' 1050 \| if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF) \| ^~~~~~~~~~~ In file included from ../drivers/usb/storage/ene_ub6250.c:5: In function 'kmalloc', inlined from 'ms_lib_process_bootblock' at ../drivers/usb/storage/ene_ub6250.c:942:15: ../include/linux/slab.h:580:24: note: at offset [256, 512] into object of size 512 allocated by 'kmalloc_trace' 580 \| return kmalloc_trace( \| ^~~~~~~~~~~~~~ 581 \| kmalloc_caches[kmalloc_type(flags)][index], \| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 582 \| flags, size); \| ~~~~~~~~~~~~ Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20230204183546.never.849-kees@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2023-02-06 13:46:42 +01:00
..
alauda.c	usb: storage: Add check for kcalloc	2022-12-08 16:43:12 +01:00
cypress_atacb.c	scsi: core: Remove the cmd field from struct scsi_request	2022-03-01 22:21:49 -05:00
datafab.c
debug.c	scsi: Remove drivers/scsi/scsi.h	2022-02-22 21:11:02 -05:00
debug.h
ene_ub6250.c	USB: ene_usb6250: Allocate enough memory for full object	2023-02-06 13:46:42 +01:00
freecom.c
initializers.c
initializers.h
isd200.c	usb-storage: isd200: fix initFunction error return	2022-04-21 19:02:42 +02:00
jumpshot.c
karma.c	USB: storage: karma: fix rio_karma_init return	2022-04-21 19:03:26 +02:00
Kconfig
Makefile
onetouch.c	usb: move from strlcpy with unused retval to strscpy	2022-08-19 11:08:54 +02:00
option_ms.c
option_ms.h
protocol.c
protocol.h
realtek_cr.c	USB: storage: ums-realtek: fix error code in rts51x_read_mem()	2022-03-15 18:21:25 +01:00
scsiglue.c	scsi: usb: Switch to attribute groups	2021-10-16 21:45:59 -04:00
scsiglue.h
sddr09.c
sddr55.c
shuttle_usbat.c	usb-storage: shuttle_usbat: fix initFunction error return	2022-04-21 19:02:40 +02:00
sierra_ms.c	usb-storage: Remove redundant assignments	2021-12-30 12:10:17 +01:00
sierra_ms.h
transport.c	USB: storage: Fix typo in comment	2022-06-21 16:39:42 +02:00
transport.h
uas-detect.h	usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210	2023-01-17 16:37:04 +01:00
uas.c	scsi: uas: Drop DID_TARGET_FAILURE use	2022-09-06 22:05:58 -04:00
unusual_alauda.h
unusual_cypress.h
unusual_datafab.h
unusual_devs.h	Revert "usb: storage: Add quirk for Samsung Fit flash"	2022-09-22 15:52:31 +02:00
unusual_ene_ub6250.h
unusual_freecom.h
unusual_isd200.h
unusual_jumpshot.h
unusual_karma.h
unusual_onetouch.h
unusual_realtek.h
unusual_sddr09.h
unusual_sddr55.h
unusual_uas.h	usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210	2023-01-17 16:37:04 +01:00
unusual_usbat.h
usb.c	scsi: usb: storage: Complete the SCSI request directly	2022-02-07 23:14:15 -05:00
usb.h
usual-tables.c