From: Dan Carpenter <dan.carpenter@oracle.com>
To: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
John Keeping <john@metanate.com>,
Linyu Yuan <quic_linyyuan@quicinc.com>,
Jens Axboe <axboe@kernel.dk>,
Vincent Pelletier <plr.vincent@gmail.com>,
Udipto Goswami <quic_ugoswami@quicinc.com>,
linux-usb@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] usb: gadget: f_fs: stricter integer overflow checks
Date: Thu, 1 Sep 2022 17:59:42 +0300 [thread overview]
Message-ID: <YxDI3lMYomE7WCjn@kili> (raw)
This from static analysis. The vla_item() takes a size and adds it to
the total. It has a built in integer overflow check so if it encounters
an integer overflow anywhere then it records the total as SIZE_MAX.
However there is an issue here because the "lang_count*(needed_count+1)"
multiplication can overflow. Technically the "lang_count + 1" addition
could overflow too, but that would be detected and is harmless. Fix
both using the new size_add() and size_mul() functions.
Fixes: e6f3862fa1ec ("usb: gadget: FunctionFS: Remove VLAIS usage from gadget code")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
The Fixes tag is arguably incorrect. Sometimes it is a philosophical
question how to assign the Fixes tag. That was the patch which added
checking for integer overflows. So that patch only made things better,
but it accidentally left this from the original code.
From a practical perspective, that patch is nine years old and anyone
who hasn't applied it doesn't care about security.
drivers/usb/gadget/function/f_fs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 98dc2291e9a1..73dc10a77cde 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2645,10 +2645,10 @@ static int __ffs_data_got_strings(struct ffs_data *ffs,
unsigned i = 0;
vla_group(d);
vla_item(d, struct usb_gadget_strings *, stringtabs,
- lang_count + 1);
+ size_add(lang_count, 1));
vla_item(d, struct usb_gadget_strings, stringtab, lang_count);
vla_item(d, struct usb_string, strings,
- lang_count*(needed_count+1));
+ size_mul(lang_count, (needed_count + 1)));
char *vlabuf = kmalloc(vla_group_size(d), GFP_KERNEL);
--
2.35.1
reply other threads:[~2022-09-01 15:00 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YxDI3lMYomE7WCjn@kili \
--to=dan.carpenter@oracle.com \
--cc=axboe@kernel.dk \
--cc=balbi@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=john@metanate.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=plr.vincent@gmail.com \
--cc=quic_linyyuan@quicinc.com \
--cc=quic_ugoswami@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox