Posts

Showing posts from May, 2018

Linux kernel drivers/usb/gadget/function/f_fs.c

static int __ffs_func_bind_do_os_desc(enum ffs_os_desc_type type,                                       struct usb_os_desc_header *h, void *data,                                       unsigned len, void *priv) {         struct ffs_function *func = priv;         u8 length = 0;         switch (type) { ...                 ext_prop->type = le32_to_cpu(desc->dwPropertyDataType);                 ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength);                 ext_prop->data_len = le32_to_cpu(*(u32 *)                         usb_ext_prop_data_len_ptr(data, ext_prop->name_len));                 length = ext_prop->name_len + ext_prop->data_len + 14; length is almost certain not able to hold the correct size if name_len and data_len are not small. considering that name_len comes from le16 and data_len comes from le32, it seems likely that they won't always be trivially small.

2 Recent InfoSect CVEs

Linux Kernel Heap Overflow in Novell Network FS https://nvd.nist.gov/vuln/detail/CVE-2018-8822 https://www.mail-archive.com/netdev@vger.kernel.org/msg223373.html FreeBSD Kernel Memory Disclosure https://nvd.nist.gov/vuln/detail/CVE-2018-6917 https://github.com/freebsd/freebsd/commit/44adf367dc37489a9d01a3cb032c316042464e2d