[PATCH] usbmon: Fix out-of-bounds read in mon_copy_to_buff
From: Manas Gupta via B4 Relay
Date: Wed Jul 02 2025 - 17:27:57 EST
From: Manas Gupta <manas18244@xxxxxxxxxxx>
memcpy tries to copy buffer 'from' when it is empty. This leads to
out-of-bounds crash.
This checks if the buffer is already empty and throws an appropriate
error message before bailing out.
Fixes: 6f23ee1fefdc1 ("USB: add binary API to usbmon")
Reported-by: syzbot+86b6d7c8bcc66747c505@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=86b6d7c8bcc66747c505
Signed-off-by: Manas Gupta <manas18244@xxxxxxxxxxx>
---
I have used printk(KERN_ERR ... to keep things consistent in usbmon.
dev_err and pr_err are not used anywhere else in usbmon.
---
drivers/usb/mon/mon_bin.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c
index c93b43f5bc4614ad75568b601c47a1ae51f01fa5..bd945052f6fb821ba814fab96eba5a82e5d161e2 100644
--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -249,6 +249,11 @@ static unsigned int mon_copy_to_buff(const struct mon_reader_bin *this,
* Copy data and advance pointers.
*/
buf = this->b_vec[off / CHUNK_SIZE].ptr + off % CHUNK_SIZE;
+ if (!strlen(from)) {
+ printk(KERN_ERR TAG
+ ": src buffer is empty, cannot copy from it\n");
+ return -ENOMEM;
+ }
memcpy(buf, from, step_len);
if ((off += step_len) >= this->b_size) off = 0;
from += step_len;
---
base-commit: d0b3b7b22dfa1f4b515fd3a295b3fd958f9e81af
change-id: 20250703-fix-oob-mon_copy_to_buff-7cfe26e819b9
Best regards,
--
Manas Gupta <manas18244@xxxxxxxxxxx>