superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/usb/gadget/function
History
Greg Kroah-Hartman 8f993d30b9 usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() 
The block_len read from the host-supplied NTB header is checked against
ntb_max but has no lower bound. When block_len is smaller than
opts->ndp_size, the bounds check of:
	ndp_index > (block_len - opts->ndp_size)
will underflow producing a huge unsigned value that ndp_index can never
exceed, defeating the check entirely.

The same underflow occurs in the datagram index checks against block_len
- opts->dpe_size.  With those checks neutered, a malicious USB host can
choose ndp_index and datagram offsets that point past the actual
transfer, and the skb_put_data() copies adjacent kernel memory into the
network skb.

Fix this by rejecting block lengths that cannot hold at least the NTB
header plus one NDP.  This will make block_len - opts->ndp_size and
block_len - opts->dpe_size both well-defined.

Commit 8d2b1a1ec9 ("CDC-NCM: avoid overflow in sanity checking") fixed
a related class of issues on the host side of NCM.

Fixes: 2b74b0a04d ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Link: https://patch.msgid.link/2026040753-baffle-handheld-624d@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2026-04-07 13:50:49 +02:00
..
Makefile
f_acm.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
f_ecm.c usb: gadget: f_ecm: Fix net_device lifecycle with device_move 2026-03-30 17:19:29 +02:00
f_eem.c usb: gadget: f_eem: Fix net_device lifecycle with device_move 2026-03-30 17:19:29 +02:00
f_fs.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
f_hid.c usb: gadget: f_hid: Add missing error code 2026-04-07 13:50:14 +02:00
f_loopback.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
f_mass_storage.c usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() 2026-03-11 16:17:44 +01:00
f_mass_storage.h USB: gadget: fix up const issue with struct usb_function_instance 2025-05-23 12:31:34 +02:00
f_midi.c Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
f_midi2.c usb: gadget: functionfs: Use safer strscpy() instead of strcpy() 2026-03-11 15:39:04 +01:00
f_ncm.c usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() 2026-04-07 13:50:49 +02:00
f_obex.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
f_phonet.c usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() 2026-04-07 13:50:34 +02:00
f_printer.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
f_rndis.c usb: gadget: f_rndis: Fix net_device lifecycle with device_move 2026-03-30 17:19:29 +02:00
f_serial.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
f_sourcesink.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
f_subset.c usb: gadget: f_subset: Fix net_device lifecycle with device_move 2026-03-30 17:19:29 +02:00
f_tcm.c usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling 2026-02-23 20:22:00 +01:00
f_uac1.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
f_uac1_legacy.c usb: gadget: f_uac1_legacy: validate control request size 2026-04-02 09:37:17 +02:00
f_uac2.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
f_uvc.c usb: gadget: uvc: fix NULL pointer dereference during unbind race 2026-03-30 17:04:50 +02:00
f_uvc.h
g_zero.h usb: gadget: f_sourcesink: Support maxburst configurability for bulk endpoints 2026-01-07 16:13:25 +01:00
ndis.h
rndis.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
rndis.h
storage_common.c
storage_common.h
tcm.h
u_audio.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
u_audio.h
u_ecm.h usb: gadget: f_ecm: Fix net_device lifecycle with device_move 2026-03-30 17:19:29 +02:00
u_eem.h usb: gadget: f_eem: Fix net_device lifecycle with device_move 2026-03-30 17:19:29 +02:00
u_ether.c usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo 2026-03-18 16:16:45 +01:00
u_ether.h usb: gadget: f_ncm: Fix net_device lifecycle with device_move 2026-03-11 16:21:19 +01:00
u_ether_configfs.h Revert "usb: gadget: u_ether: add gether_opts for config caching" 2026-03-11 16:21:16 +01:00
u_fs.h functionfs: use spinlock for FFS_DEACTIVATED/FFS_CLOSING transitions 2026-02-05 13:53:12 -05:00
u_gether.h usb: gadget: f_subset: Fix net_device lifecycle with device_move 2026-03-30 17:19:29 +02:00
u_hid.h usb: gadget: hid: allow dynamic interval configuration via configfs 2025-05-01 17:30:48 +02:00
u_midi.h usb: gadget: f_midi: allow customizing the USB MIDI interface string through configfs 2025-12-17 14:43:01 +01:00
u_midi2.h
u_ncm.h usb: gadget: u_ncm: Add kernel-doc comments for struct f_ncm_opts 2026-03-30 17:19:29 +02:00
u_phonet.h
u_printer.h
u_rndis.h usb: gadget: f_rndis: Fix net_device lifecycle with device_move 2026-03-30 17:19:29 +02:00
u_serial.c usb: gadget: functionfs: Use safer strscpy() instead of strcpy() 2026-03-11 15:39:04 +01:00
u_serial.h
u_tcm.h
u_uac1.h
u_uac1_legacy.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
u_uac1_legacy.h
u_uac2.h
u_uvc.h
uac_common.h
uvc.h usb: gadget: uvc: fix NULL pointer dereference during unbind race 2026-03-30 17:04:50 +02:00
uvc_configfs.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
uvc_configfs.h usb: gadget: uvc: Avoid -Wflex-array-member-not-at-end warnings 2025-04-11 16:08:33 +02:00
uvc_queue.c usb: gadget: uvc: retry vb2_reqbufs() with vb_vmalloc_memops if use_sg fail 2026-01-14 16:03:18 +01:00
uvc_queue.h
uvc_trace.c
uvc_trace.h
uvc_v4l2.c usb: gadget: uvc: fix NULL pointer dereference during unbind race 2026-03-30 17:04:50 +02:00
uvc_v4l2.h
uvc_video.c usb: gadget: uvc: fix interval_duration calculation 2026-03-11 16:19:04 +01:00
uvc_video.h