In vhci_driver.c there is the following code: static int read_record(int rhport, char *host, char *port, char *busid) { FILE *file; char path[PATH_MAX+1]; snprintf(path, PATH_MAX, VHCI_STATE_PATH"/port%d", rhport); file = fopen(path, "r"); if (!file) { err("fopen"); return -1; } if (fscanf(file, "%s %s %s\n", host, port, busid) != 3) { err("fscanf"); fclose(file); return -1; } Parameters to read_record are declared on the stack here: char product_name[100]; char host[NI_MAXHOST] = "unknown host"; char serv[NI_MAXSERV] = "unknown port"; char remote_busid[SYSFS_BUS_ID_SIZE]; int ret; int read_record_error = 0; if (idev->status == VDEV_ST_NULL || idev->status == VDEV_ST_NOTASSIGNED) return 0; ret = read_record(idev->port, host, serv, remote_busid); If someone is able to corrupt or specially craft the port file, fscanf may read strings that are larger than NI_MAXHOST. This could result in a buffer overflow during a file read. At the very worse, this is not resilient against malformed files as a file with three strings will get past the check for three.
On Tue, Feb 04, 2014 at 12:44:40AM +0000, bugzilla-daemon@bugzilla.kernel.org wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=69931 > > Bug ID: 69931 > Summary: Unbounded file read > Product: Drivers > Version: 2.5 > Kernel Version: 3.14-rc1 > Hardware: All > OS: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: USB > Assignee: greg@kroah.com > Reporter: jboyd@securityinnovation.com > Regression: No > > In vhci_driver.c there is the following code: > static int read_record(int rhport, char *host, char *port, char *busid) > { Patches to fix this are gladly accepted, please send them to linux-usb@vger.kernel.org