[PATCH 0/2] USB: sisusbvga: Fix integer overflow and NULL dereference

Next message: Vasiliy Kovalev: "[PATCH 2/2] USB: sisusbvga: Fix NULL pointer dereference in sisusb_read"
Previous message: Vasiliy Kovalev: "[PATCH 1/2] USB: sisusbvga: Fix integer overflow in sisusb_clear_vram"
Next in thread: Vasiliy Kovalev: "[PATCH 1/2] USB: sisusbvga: Fix integer overflow in sisusb_clear_vram"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vasiliy Kovalev

Date: Tue Feb 17 2026 - 20:05:29 EST

This series fixes two issues in the sisusbvga driver found by static
analysis and confirmed through testing with USB gadget emulation:

1. Integer overflow in boundary check of sisusb_clear_vram() that can be
triggered by a compromised USB device reporting inflated VRAM size.

2. NULL pointer dereference in sisusb_read() when userspace passes a NULL
buffer to read(), causing immediate kernel panic.

Both issues are reproducible with the 'USB Gadget Tests' framework [1].

[1] https://github.com/kovalev0/usb-gadget-tests

Vasiliy Kovalev (2):
USB: sisusbvga: Fix integer overflow in sisusb_clear_vram
USB: sisusbvga: Fix NULL pointer dereference in sisusb_read

drivers/usb/misc/sisusbvga/sisusbvga.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

--
2.50.1