[PATCH] usb: fix potential integer overflow in usb_sg_init

From: Insu Yun
Date: Mon Jan 18 2016 - 12:05:09 EST

Next message: Juri Lelli: "Re: [RFC PATCH v2 0/4] CPUs capacity information for heterogeneous systems"
Previous message: Sudip Mukherjee: "Re: [PATCH -next] tty/serial: atmel: Include module.h to fix build failure"
Next in thread: Alan Stern: "Re: [PATCH] usb: fix potential integer overflow in usb_sg_init"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If nents value is sufficient large, e.g 0x40000000,
then it can overflow size in kmalloc and heap overflow happesns.
Therefore nents value needs to be checked to prevent overflow.

Signed-off-by: Insu Yun <wuninsu@xxxxxxxxx>
---
drivers/usb/core/message.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 8e641b5..53393d5 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -367,7 +367,8 @@ int usb_sg_init(struct usb_sg_request *io, struct usb_device *dev,
if (!io || !dev || !sg
|| usb_pipecontrol(pipe)
|| usb_pipeisoc(pipe)
- || nents <= 0)
+ || nents <= 0
+ || nents >= UINT_MAX / sizeof(*io->urbs))
return -EINVAL;

spin_lock_init(&io->lock);
--
1.9.1

Next message: Juri Lelli: "Re: [RFC PATCH v2 0/4] CPUs capacity information for heterogeneous systems"
Previous message: Sudip Mukherjee: "Re: [PATCH -next] tty/serial: atmel: Include module.h to fix build failure"
Next in thread: Alan Stern: "Re: [PATCH] usb: fix potential integer overflow in usb_sg_init"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]