Re: [PATCH v2] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()

public inbox for linux-usb@vger.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <kees@kernel.org>
To: pip-izony <eeodqql09@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
	Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
	Yuping Luo <Yuping.Luo@csr.com>, Felipe Balbi <balbi@ti.com>,
	Michal Nazarewicz <mina86@mina86.com>,
	Alan Stern <stern@rowland.harvard.edu>,
	Barry Song <baohua@kernel.org>,
	linux-usb@vger.kernel.org
Subject: Re: [PATCH v2] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
Date: Thu, 26 Feb 2026 10:05:51 -0800	[thread overview]
Message-ID: <202602261001.4387F04112@keescook> (raw)
In-Reply-To: <20260226155556.1439672-3-eeodqql09@gmail.com>

On Thu, Feb 26, 2026 at 10:55:58AM -0500, pip-izony wrote:
> From: Seungjin Bae <eeodqql09@gmail.com>
> 
> The `check_command_size_in_blocks()` function calculates the data size
> in bytes by left shifting `common->data_size_from_cmnd` by the block
> size (`common->curlun->blkbits`). However, it does not validate whether
> this shift operation will cause an integer overflow.
> 
> Initially, the block size is set up in `fsg_lun_open()` , and the
> `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During
> initialization, there is no integer overflow check for the interaction
> between two variables.
> 
> So if a malicious USB host sends a SCSI READ or WRITE command
> requesting a large amount of data (`common->data_size_from_cmnd`), the
> left shift operation can wrap around. This results in a truncated data
> size, which can bypass boundary checks and potentially lead to memory
> corruption or out-of-bounds accesses.
> 
> Fix this by using the check_shl_overflow() macro to safely perform the
> shift and catch any overflows.
> 
> Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
> ---
>  v1 -> v2: Removed the cmnd_size check and applied the check_shl_overflow() macro
> 
>  drivers/usb/gadget/function/f_mass_storage.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
> index 6af96e2b44eb..cb885153a31e 100644
> --- a/drivers/usb/gadget/function/f_mass_storage.c
> +++ b/drivers/usb/gadget/function/f_mass_storage.c
> @@ -180,6 +180,7 @@
>  #include <linux/kthread.h>
>  #include <linux/sched/signal.h>
>  #include <linux/limits.h>
> +#include <linux/overflow.h>
>  #include <linux/pagemap.h>
>  #include <linux/rwsem.h>
>  #include <linux/slab.h>
> @@ -1853,8 +1854,17 @@ static int check_command_size_in_blocks(struct fsg_common *common,
>  		int cmnd_size, enum data_direction data_dir,
>  		unsigned int mask, int needs_medium, const char *name)
>  {
> -	if (common->curlun)
> -		common->data_size_from_cmnd <<= common->curlun->blkbits;
> +	unsigned int blkbits;
> +
> +	if (common->curlun) {
> +		blkbits = common->curlun->blkbits;
> +		if (check_shl_overflow(common->data_size_from_cmnd, blkbits,
> +							   &common->data_size_from_cmnd)) {
> +			common->phase_error = 1;
> +			return -EINVAL;
> +		}
> +	}

Right, as Alan suggested, I would expect the code style to be:

	if (common->curlen) {
		if (check_shl_overflow(common->data_size_from_cmnd,
				       common->curlun->blkbits,
				       &common->data_size_from_cmnd)) {
			common->phase_error = 1;
			return -EINVAL;
		}
	}

I would have expected scripts/checkpatch.pl to complain about the
indentation. Did you check your patch with that?

-Kees

-- 
Kees Cook

     prev parent reply	other threads:[~2026-02-26 18:05 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-26 15:55 [PATCH v2] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() pip-izony
2026-02-26 16:52 ` Alan Stern
2026-02-26 18:05 ` Kees Cook [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202602261001.4387F04112@keescook \
    --to=kees@kernel.org \
    --cc=Kyungtae.Kim@dartmouth.edu \
    --cc=Yuping.Luo@csr.com \
    --cc=balbi@ti.com \
    --cc=baohua@kernel.org \
    --cc=christophe.jaillet@wanadoo.fr \
    --cc=eeodqql09@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=mina86@mina86.com \
    --cc=stern@rowland.harvard.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox