drivers/usb/gadget/configfs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
When writing an empty string to either 'qw_sign' or 'landingPage'
sysfs attributes, the store functions attempt to access page[l - 1]
before validating that the length 'l' is greater than zero.
This patch fixes the vulnerability by adding a check at the beginning
of os_desc_qw_sign_store() and webusb_landingPage_store() to handle
the zero-length input case gracefully by returning immediately.
Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
---
drivers/usb/gadget/configfs.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index fba2a56dae97..1bb32d6be9b3 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -1064,7 +1064,8 @@ static ssize_t webusb_landingPage_store(struct config_item *item, const char *pa
struct gadget_info *gi = webusb_item_to_gadget_info(item);
unsigned int bytes_to_strip = 0;
int l = len;
-
+ if (!len)
+ return len;
if (page[l - 1] == '\n') {
--l;
++bytes_to_strip;
@@ -1187,7 +1188,8 @@ static ssize_t os_desc_qw_sign_store(struct config_item *item, const char *page,
{
struct gadget_info *gi = os_desc_item_to_gadget_info(item);
int res, l;
-
+ if (!len)
+ return len;
l = min_t(int, len, OS_STRING_QW_SIGN_LEN >> 1);
if (page[l - 1] == '\n')
--l;
--
2.39.5 (Apple Git-154)On 7/9/25 6:55 AM, Xinyu Liu wrote:
> When writing an empty string to either 'qw_sign' or 'landingPage'
> sysfs attributes, the store functions attempt to access page[l - 1]
> before validating that the length 'l' is greater than zero.
>
> This patch fixes the vulnerability by adding a check at the beginning
> of os_desc_qw_sign_store() and webusb_landingPage_store() to handle
> the zero-length input case gracefully by returning immediately.
>
> Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
> ---
> drivers/usb/gadget/configfs.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
> index fba2a56dae97..1bb32d6be9b3 100644
> --- a/drivers/usb/gadget/configfs.c
> +++ b/drivers/usb/gadget/configfs.c
> @@ -1064,7 +1064,8 @@ static ssize_t webusb_landingPage_store(struct config_item *item, const char *pa
> struct gadget_info *gi = webusb_item_to_gadget_info(item);
> unsigned int bytes_to_strip = 0;
> int l = len;
> -
Why are you removing empty line here?
> + if (!len)
> + return len;
> if (page[l - 1] == '\n') {
> --l;
> ++bytes_to_strip;
> @@ -1187,7 +1188,8 @@ static ssize_t os_desc_qw_sign_store(struct config_item *item, const char *page,
> {
> struct gadget_info *gi = os_desc_item_to_gadget_info(item);
> int res, l;
> -
And here?
> + if (!len)
> + return len;
> l = min_t(int, len, OS_STRING_QW_SIGN_LEN >> 1);
> if (page[l - 1] == '\n')
> --l;
MBR, Sergey
Hi Sergey,
Thanks for your review.
You are right, removing the blank line is inappropriate. I’ve
double-checked the original code and confirmed there are no invisible
spaces or tabs, yet checkpatch.pl still reports "ERROR: trailing
whitespace" on these lines. I removed the empty line here, and it
resolved the error.
Thanks for pointing this out!
Best regards,
Xinyu Liu
在 2025/7/9 16:48, Sergey Shtylyov 写道:
> On 7/9/25 6:55 AM, Xinyu Liu wrote:
>
>> When writing an empty string to either 'qw_sign' or 'landingPage'
>> sysfs attributes, the store functions attempt to access page[l - 1]
>> before validating that the length 'l' is greater than zero.
>>
>> This patch fixes the vulnerability by adding a check at the beginning
>> of os_desc_qw_sign_store() and webusb_landingPage_store() to handle
>> the zero-length input case gracefully by returning immediately.
>>
>> Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
>> ---
>> drivers/usb/gadget/configfs.c | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
>> index fba2a56dae97..1bb32d6be9b3 100644
>> --- a/drivers/usb/gadget/configfs.c
>> +++ b/drivers/usb/gadget/configfs.c
>> @@ -1064,7 +1064,8 @@ static ssize_t webusb_landingPage_store(struct config_item *item, const char *pa
>> struct gadget_info *gi = webusb_item_to_gadget_info(item);
>> unsigned int bytes_to_strip = 0;
>> int l = len;
>> -
> Why are you removing empty line here?
>
>> + if (!len)
>> + return len;
>> if (page[l - 1] == '\n') {
>> --l;
>> ++bytes_to_strip;
>> @@ -1187,7 +1188,8 @@ static ssize_t os_desc_qw_sign_store(struct config_item *item, const char *page,
>> {
>> struct gadget_info *gi = os_desc_item_to_gadget_info(item);
>> int res, l;
>> -
> And here?
>
>> + if (!len)
>> + return len;
>> l = min_t(int, len, OS_STRING_QW_SIGN_LEN >> 1);
>> if (page[l - 1] == '\n')
>> --l;
> MBR, Sergey
On 7/9/25 1:22 PM, Xinyu Liu wrote: [...] > You are right, removing the blank line is inappropriate. Empty lines separating declarations from the other statements should be kept... > I’ve double-checked the original code and confirmed there are no invisible spaces or tabs, I'm not seeing them as well in your patch... > yet checkpatch.pl still reports "ERROR: trailing whitespace" on these lines. I removed the empty line here, and it resolved the error. Hm... something wrong with your setup, I guess... > Thanks for pointing this out! [...] MBR, Sergey
© 2016 - 2025 Red Hat, Inc.