From: Lee Jones lee@kernel.org
mainline inclusion from mainline-v6.10 commit 6d3c721e686ea6c59e18289b400cc95c76e927e0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAILHF CVE: CVE-2024-42236
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Userspace provided string 's' could trivially have the length zero. Left unchecked this will firstly result in an OOB read in the form `if (str[0 - 1] == '\n') followed closely by an OOB write in the form `str[0 - 1] = '\0'`.
There is already a validating check to catch strings that are too long. Let's supply an additional check for invalid strings that are too short.
Signed-off-by: Lee Jones lee@kernel.org Cc: stable stable@kernel.org Link: https://lore.kernel.org/r/20240705074339.633717-1-lee@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: dengquan dengquan9@huawei.com --- drivers/usb/gadget/configfs.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c index c85e64c0c39e..39a483b66484 100644 --- a/drivers/usb/gadget/configfs.c +++ b/drivers/usb/gadget/configfs.c @@ -114,9 +114,12 @@ static int usb_string_copy(const char *s, char **s_copy) int ret; char *str; char *copy = *s_copy; + ret = strlen(s); if (ret > 126) return -EOVERFLOW; + if (ret < 1) + return -EINVAL;
str = kstrdup(s, GFP_KERNEL); if (!str)