[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables
From: |
P J P |
Subject: |
Re: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables |
Date: |
Tue, 15 Sep 2020 12:17:48 +0530 (IST) |
+-- On Fri, 11 Sep 2020, Alexander Bulekov wrote --+
| > On 200911 2257, Li Qiang wrote:
| > > Could you also provide the reproducer?
* Sorry, we can not share reproducers on the list, I'm afraid.
* Thank you Alex for the -qtests.
| > > I think it is better to split this patch to 2 or three as the infinite
| > > loop as the buffer overflow are independent.
| > >
| > > 1. here the infinite loop
| > > 2. here the stack buffer overflow
| > > 3. Then here is the heap overflow.
| > >
| > > So I think it can be more easier to review to split this to 3 patches.
* These issues are in the same UHCI controller and share the same pattern,
triggered while processing ED/TD lists. They can be combined as a single
CVE.
* Infinite-loop is different. I'll break it into two patches, one for OOB
access and one to avoid an infinite loop case.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D