[PATCH 1/2] USB: sisusbvga: Fix integer overflow in sisusb_clear_vram
From: Vasiliy Kovalev
Date: Tue Feb 17 2026 - 20:05:22 EST
The boundary check in sisusb_clear_vram():
if (address + length > sisusb->vrambase + sisusb->vramsize)
length = sisusb->vrambase + sisusb->vramsize - address;
is subject to unsigned 32-bit integer overflow. When address is close to
UINT32_MAX and length is non-trivial, their sum wraps around and the
guard evaluates incorrectly, allowing the check to be bypassed.
The overflow condition requires length > UINT32_MAX - address. Since
address belongs to [vrambase; vrambase + vramsize) where vrambase is
0xd0000000, and length comes from userspace via SUCMD_CLRSCR as a 24-bit
value (max 0xFFFFFF), overflow is only reachable when sisusb->vramsize
exceeds 1 GiB. A compromised USB device can return an arbitrary value for
sisusb->vramsize via SR[0x14], making this condition reachable.
Use check_add_overflow() to detect the overflow explicitly and return 1.
This ensures the driver correctly rejects invalid parameters instead of
proceeding with wrapped-around values.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Tested with 'USB Gadget Tests'[1]:
$ TEST=sisusbvga-fops-svace-int-overflow
$ echo $TEST > tests/list.txt && make && sudo ./check.sh
[1] Link: https://github.com/kovalev0/usb-gadget-tests
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx>
---
drivers/usb/misc/sisusbvga/sisusbvga.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/misc/sisusbvga/sisusbvga.c b/drivers/usb/misc/sisusbvga/sisusbvga.c
index febf34f9f049..89d566d192aa 100644
--- a/drivers/usb/misc/sisusbvga/sisusbvga.c
+++ b/drivers/usb/misc/sisusbvga/sisusbvga.c
@@ -1301,6 +1301,7 @@ static int sisusb_clear_vram(struct sisusb_usb_data *sisusb,
{
int ret, i;
ssize_t j;
+ u32 end_addr;
if (address < sisusb->vrambase)
return 1;
@@ -1308,7 +1309,10 @@ static int sisusb_clear_vram(struct sisusb_usb_data *sisusb,
if (address >= sisusb->vrambase + sisusb->vramsize)
return 1;
- if (address + length > sisusb->vrambase + sisusb->vramsize)
+ if (check_add_overflow(address, (u32)length, &end_addr))
+ return 1;
+
+ if (end_addr > sisusb->vrambase + sisusb->vramsize)
length = sisusb->vrambase + sisusb->vramsize - address;
if (length <= 0)
--
2.50.1