linux/drivers/usb/misc
Jann Horn f1e255d60a USB: yurex: fix out-of-bounds uaccess in read handler
In general, accessing userspace memory beyond the length of the supplied
buffer in VFS read/write handlers can lead to both kernel memory corruption
(via kernel_read()/kernel_write(), which can e.g. be triggered via
sys_splice()) and privilege escalation inside userspace.

Fix it by using simple_read_from_buffer() instead of custom logic.

Fixes: 6bc235a2e2 ("USB: add driver for Meywa-Denki & Kayac YUREX")
Signed-off-by: Jann Horn <jannh@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-07-06 17:21:34 +02:00
..
sisusbvga treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
adutux.c
appledisplay.c
chaoskey.c
cypress_cy7c63.c
cytherm.c
ehset.c
emi26.c
emi62.c
ezusb.c
ftdi-elan.c
idmouse.c
iowarrior.c
isight_firmware.c
Kconfig
ldusb.c
legousbtower.c
lvstest.c
Makefile
rio500_usb.h
rio500.c
trancevibrator.c
usb251xb.c
usb3503.c
usb4604.c
usb_u132.h
usblcd.c
usbsevseg.c
usbtest.c
uss720.c
yurex.c USB: yurex: fix out-of-bounds uaccess in read handler 2018-07-06 17:21:34 +02:00