linux.git - Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

diff options

author	Xinyu Liu <1171169449@qq.com>	2025-07-09 11:55:33 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-07-24 08:53:10 +0200
commit	58bdd5160184645771553ea732da5c2887fc9bd1 (patch)
tree	071dced1d48ac6353dce84d9fdd22171677fbb11 /drivers/i2c
parent	ec35a7125d945ed66bf1147ace59db414a259ac6 (diff)
download	linux-58bdd5160184645771553ea732da5c2887fc9bd1.tar.gz linux-58bdd5160184645771553ea732da5c2887fc9bd1.tar.bz2 linux-58bdd5160184645771553ea732da5c2887fc9bd1.zip

usb: gadget: configfs: Fix OOB read on empty string write

commit 3014168731b7930300aab656085af784edc861f6 upstream. When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning immediately. Signed-off-by: Xinyu Liu <katieeliu@tencent.com> Cc: stable <stable@kernel.org> Link: https://lore.kernel.org/r/tencent_B1C9481688D0E95E7362AB2E999DE8048207@qq.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'drivers/i2c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: