Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 07 Dec 2006 08:34:59 +0300
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   usb/106435: Possible buffer overflow in dev/usb/ums.c
Message-ID:  <E1GsBuN-0003Lk-BG@pobox.codelabs.ru>
Resent-Message-ID: <200612070540.kB75eDRp001948@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         106435
>Category:       usb
>Synopsis:       Possible buffer overflow in dev/usb/ums.c
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-usb
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 07 05:40:12 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 6.2-PRERELEASE i386
>Organization:
Code Labs
>Environment:
System: FreeBSD XXX 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #9: Tue Dec 5 09:10:06 MSK 2006 root@XXX:/usr/obj/usr/src/sys/XXX i386
	
>Description:
Potential buffer overrun exists: sc->ibuf is allocated as
-----
sc->sc_ibuf = malloc(sc->sc_isize, M_USB, M_NOWAIT);
-----
in the attach handler, but interrupt handler always prints 6
bytes of sc->sc_isize:
-----
        DPRINTFN(5, ("ums_intr: data = %02x %02x %02x %02x %02x %02x\n",
                     sc->sc_ibuf[0], sc->sc_ibuf[1], sc->sc_ibuf[2],
                     sc->sc_ibuf[3], sc->sc_ibuf[4], sc->sc_ibuf[5]));
-----

This issue can be triggered only when USB_DEBUG is defined, so it does
not exist in the production mode.
>How-To-Repeat:
Look into the /sys/dev/usb/ums.c code.
>Fix:
The following patch will help:
--- ums.c.orig	Tue Dec  5 13:29:34 2006
+++ ums.c	Tue Dec  5 13:31:40 2006
@@ -431,9 +431,10 @@
 #define UMS_BUT(i) ((i) < 3 ? (((i) + 2) % 3) : (i))
 
 	DPRINTFN(5, ("ums_intr: sc=%p status=%d\n", sc, status));
-	DPRINTFN(5, ("ums_intr: data = %02x %02x %02x %02x %02x %02x\n",
-		     sc->sc_ibuf[0], sc->sc_ibuf[1], sc->sc_ibuf[2],
-		     sc->sc_ibuf[3], sc->sc_ibuf[4], sc->sc_ibuf[5]));
+	DPRINTFN(5, ("ums_intr: data =));
+	for (i = 0; i < sc->sc_isize; i++)
+		DPRINTFN(5, (" %02x", sc->sc_ibuf[i]));
+	DPRINTFN(5, ("\n"));
 
 	if (status == USBD_CANCELLED)
 		return;
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1GsBuN-0003Lk-BG>