usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()

Userspace provided string 's' could trivially have the length zero. Left unchecked this will firstly result in an OOB read in the form `if (str[0 - 1] == '\n') followed closely by an OOB write in the form `str[0 - 1] = '\0'`. There is already a validating check to catch strings that are too long. Let's supply an additional check for invalid strings that are too short. Signed-off-by: Lee Jones <lee@kernel.org> Cc: stable <stable@kernel.org> Link: https://lore.kernel.org/r/20240705074339.633717-1-lee@kernel.orgSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()
Userspace provided string 's' could trivially have the length zero. Left unchecked this will firstly result in an OOB read in the form `if (str[0 - 1] == '\n') followed closely by an OOB write in the form `str[0 - 1] = '\0'`. There is already a validating check to catch strings that are too long. Let's supply an additional check for invalid strings that are too short. Signed-off-by: Lee Jones <lee@kernel.org> Cc: stable <stable@kernel.org> Link: https://lore.kernel.org/r/20240705074339.633717-1-lee@kernel.orgSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
6d3c721e · Lee Jones · Greg Kroah-Hartman · 2bf35ea4 · 6d3c721e
Commit 6d3c721e authored Jul 05, 2024 by Lee Jones Committed by Greg Kroah-Hartman Jul 05, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

drivers/usb/gadget/configfs.c drivers/usb/gadget/configfs.c +3 -0

No files found.
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -115,9 +115,12 @@ static int usb_string_copy(const char *s, char **s_copy)
 	int ret;
 	char *str;
 	char *copy = *s_copy;
+
 	ret = strlen(s);
 	if (ret > USB_MAX_STRING_LEN)
 		return -EOVERFLOW;
+	if (ret < 1)
+		return -EINVAL;

 	if (copy) {
 		str = copy;