MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 15:03:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
fcd03f7736
linux-yocto/net
History
Dominique Martinet 0da18d49f8 net/9p: Fix buffer overflow in USB transport layer 
commit c04db81cd0288dfc68b7a0f7d09bd49b40bba451 upstream.

A buffer overflow vulnerability exists in the USB 9pfs transport layer
where inconsistent size validation between packet header parsing and
actual data copying allows a malicious USB host to overflow heap buffers.

The issue occurs because:
- usb9pfs_rx_header() validates only the declared size in packet header
- usb9pfs_rx_complete() uses req->actual (actual received bytes) for
memcpy

This allows an attacker to craft packets with small declared size
(bypassing validation) but large actual payload (triggering overflow
in memcpy).

Add validation in usb9pfs_rx_complete() to ensure req->actual does not
exceed the buffer capacity before copying data.

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Closes: https://lkml.kernel.org/r/20250616132539.63434-1-danisjiang@gmail.com
Fixes: a3be076dc1 ("net/9p/usbg: Add new usb gadget function transport")
Cc: stable@vger.kernel.org
Message-ID: <20250622-9p-usb_overflow-v3-1-ab172691b946@codewreck.org>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-10-15 12:00:24 +02:00
..
6lowpan
9p net/9p: Fix buffer overflow in USB transport layer 2025-10-15 12:00:24 +02:00
802
8021q net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime 2025-07-24 08:56:34 +02:00
appletalk net: appletalk: Fix use-after-free in AARP proxy probe 2025-08-01 09:48:41 +01:00
atm net: atm: fix memory leak in atm_register_sysfs when device_register fail 2025-09-09 18:58:13 +02:00
ax25 ax25: properly unshare skbs in ax25_kiss_rcv() 2025-09-09 18:58:13 +02:00
batman-adv batman-adv: fix OOB read/write in network-coding decode 2025-09-09 18:58:18 +02:00
bluetooth Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements 2025-10-15 12:00:18 +02:00
bpf
bridge net: bridge: Bounce invalid boolopts 2025-09-19 16:35:48 +02:00
caif caif: reduce stack size, again 2025-08-15 12:13:40 +02:00
can can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails 2025-09-19 16:35:49 +02:00
ceph libceph: fix invalid accesses to ceph_connection_v1_info 2025-09-19 16:35:47 +02:00
core bpf: Explicitly check accesses to bpf_sock_addr 2025-10-15 12:00:02 +02:00
dcb
dccp
devlink
dns_resolver
dsa net: dsa: provide implementation of .support_eee() 2025-09-09 18:58:19 +02:00
ethernet
ethtool
handshake
hsr hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr 2025-09-19 16:35:50 +02:00
ieee802154
ife
ipv4 tcp: fix __tcp_close() to only send RST when required 2025-10-15 12:00:08 +02:00
ipv6 net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 2025-09-09 18:58:10 +02:00
iucv
kcm net: kcm: Fix race condition in kcm_unattach() 2025-08-20 18:30:18 +02:00
key
l2tp l2tp: do not use sock_hold() in pppol2tp_session_get_sock() 2025-09-04 15:31:51 +02:00
l3mdev
lapb
llc llc: fix data loss when reading from a socket in llc_ui_recvmsg() 2025-05-29 11:03:20 +02:00
mac80211 wifi: mac80211: fix Rx packet handling when pubsta information is not available 2025-10-15 12:00:13 +02:00
mac802154
mctp mctp: return -ENOPROTOOPT for unknown getsockopt options 2025-09-09 18:58:13 +02:00
mpls mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). 2025-06-27 11:11:43 +01:00
mptcp mptcp: pm: nl: announce deny-join-id0 flag 2025-09-25 11:13:50 +02:00
ncsi net: ncsi: Fix buffer overflow in fetching version id 2025-08-20 18:30:38 +02:00
netfilter netfilter: nfnetlink: reset nlh pointer during batch replay 2025-10-15 12:00:16 +02:00
netlabel calipso: unlock rcu before returning -EAFNOSUPPORT 2025-06-19 15:32:37 +02:00
netlink genetlink: fix genl_bind() invoking bind() after -EPERM 2025-09-19 16:35:48 +02:00
netrom
nfc net: nfc: nci: Add parameter validation for packet data 2025-10-15 12:00:21 +02:00
nsh
openvswitch net: openvswitch: Fix the dead loop of MPLS parse 2025-06-19 15:31:55 +02:00
packet net/packet: fix a race in packet_set_ring() and packet_notifier() 2025-08-15 12:14:09 +02:00
phonet phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() 2025-07-24 08:56:24 +02:00
psample
qrtr
rds rds: ib: Increment i_fastreg_wrs before bailing out 2025-09-25 11:13:47 +02:00
rfkill net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer 2025-09-25 11:13:47 +02:00
rose net: rose: fix a typo in rose_clear_routes() 2025-09-04 15:31:55 +02:00
rxrpc rxrpc: Fix transmission of an abort in response to an abort 2025-07-24 08:56:35 +02:00
sched net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate 2025-08-28 16:31:15 +02:00
sctp sctp: initialize more fields in sctp_v6_from_sk() 2025-09-04 15:31:51 +02:00
smc net/smc: fix warning in smc_rx_splice() when calling get_page() 2025-10-02 13:44:10 +02:00
strparser
sunrpc sunrpc: fix null pointer dereference on zero-length checksum 2025-10-15 12:00:24 +02:00
switchdev
tipc tipc: Fix use-after-free in tipc_conn_close(). 2025-07-17 18:37:05 +02:00
tls tls: make sure to abort the stream if headers are bogus 2025-09-25 11:13:44 +02:00
unix af_unix: Don't set -ECONNRESET for consumed OOB skb. 2025-07-06 11:01:40 +02:00
vmw_vsock vsock/virtio: Validate length in packet header before skb_put() 2025-08-28 16:30:59 +02:00
wireless wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() 2025-09-09 18:58:12 +02:00
x25
xdp
xfrm xfrm: xfrm_alloc_spi shouldn't use 0 as SPI 2025-10-02 13:44:09 +02:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c
sysctl_net.c