Gitiles
Code Review Sign In
LeafOS / LeafOS-Devices / android_kernel_samsung_exynos9820 / 57999d1107c1e60c2ca7088f2ac0f819e2f554b3
commit57999d1107c1e60c2ca7088f2ac0f819e2f554b3[log] [tgz]
authorDan Carpenter <dan.carpenter@oracle.com>Fri Sep 22 23:43:25 2017 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Mon Sep 25 10:57:13 2017 +0200
tree6081b8b694eeae7c08ea2cc082c9966517cdb838
parent1fbbb78f25d1291274f320462bf6908906f538db [diff]
USB: devio: Prevent integer overflow in proc_do_submiturb()

There used to be an integer overflow check in proc_do_submiturb() but
we removed it.  It turns out that it's still required.  The
uurb->buffer_length variable is a signed integer and it's controlled by
the user.  It can lead to an integer overflow when we do:

	num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);

If we strip away the macro then that line looks like this:

	num_sgs = (uurb->buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE;
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's the first addition which can overflow.

Fixes: 1129d270cbfb ("USB: Increase usbfs transfer limit")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: 6081b8b694eeae7c08ea2cc082c9966517cdb838
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README