From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D98F9222590; Mon, 23 Mar 2026 14:16:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774275406; cv=none; b=ZuQLFqRhTvnCabpL+p5uLVmp91GSQxZI+zg5/kj0fmZ+wsXSUXpq8xfxf3b25WdekReqFTwtsuXtPPH1hKConF5FllSVXg6OiLdcpOHwdCQHL8FX8vAblmceB/zj2NV4ugQmupdlRMYcWC6JWTFduHgsMPeIFNBbRWm2HW7bASo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774275406; c=relaxed/simple; bh=bWpnDb0QFH68yutdGitYm/hbu0R4t66050tJ8hL+XJY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fMs98/smMiCVixB8ZvSRnRVVIY5ZBWnCEApmkslIjrgYwU3W7tBA24o9kasjDQXyAGTlqbM9N6M+x6aco9L5/6Z/4JoZuyQm/9/uEUkIVbkffpTtXVlh+QdC91+FwTm2lVNh/8vX8oJc6DYHkAcmyt++o6d5A4hXVccNBub8bpU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Z/yROvu2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Z/yROvu2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 49695C4CEF7; Mon, 23 Mar 2026 14:16:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1774275406; bh=bWpnDb0QFH68yutdGitYm/hbu0R4t66050tJ8hL+XJY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Z/yROvu2tbmyyqeDPzO3nEjm2IAosNVQ9vym44dialTk6R7l153GdoGVUIEurW6UG RyJJ9h+OabYBJiKJxqmcmLmagGqjeuC1K+HAMK7muIaYQKtPpH8/GOYZyjVlGF+Jp7 NmJqFzi7paMrj+j4HB0pxS/sl1KTMlZjYHUlChVw= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Seungjin Bae , Alan Stern , Sasha Levin Subject: [PATCH 6.12 087/460] usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() Date: Mon, 23 Mar 2026 14:41:23 +0100 Message-ID: <20260323134528.810532383@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260323134526.647552166@linuxfoundation.org> References: <20260323134526.647552166@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Seungjin Bae [ Upstream commit 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 ] The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, there is no integer overflow check for the interaction between two variables. So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (`common->data_size_from_cmnd`), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses. Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows. Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size") Signed-off-by: Seungjin Bae Reviewed-by: Alan Stern Link: https://patch.msgid.link/20260228104324.1696455-2-eeodqql09@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/f_mass_storage.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c index 08e0d1c511e8d..74cb7e57a197c 100644 --- a/drivers/usb/gadget/function/f_mass_storage.c +++ b/drivers/usb/gadget/function/f_mass_storage.c @@ -180,6 +180,7 @@ #include #include #include +#include #include #include #include @@ -1853,8 +1854,15 @@ static int check_command_size_in_blocks(struct fsg_common *common, int cmnd_size, enum data_direction data_dir, unsigned int mask, int needs_medium, const char *name) { - if (common->curlun) - common->data_size_from_cmnd <<= common->curlun->blkbits; + if (common->curlun) { + if (check_shl_overflow(common->data_size_from_cmnd, + common->curlun->blkbits, + &common->data_size_from_cmnd)) { + common->phase_error = 1; + return -EINVAL; + } + } + return check_command(common, cmnd_size, data_dir, mask, needs_medium, name); } -- 2.51.0