diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2017-09-22 23:43:25 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-12-09 18:42:44 +0100 |
| commit | c0493eb552e0ad84c86e8fb3b9b9817c57a52d18 (patch) | |
| tree | 6289c307b3a378d265637b21cd21be1754d67246 /kernel/trace/trace_functions_graph.c | |
| parent | 2ee8d2acf3efc2ddcd571845e8663a101cdde86e (diff) | |
USB: devio: Prevent integer overflow in proc_do_submiturb()
commit 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 upstream.
There used to be an integer overflow check in proc_do_submiturb() but
we removed it. It turns out that it's still required. The
uurb->buffer_length variable is a signed integer and it's controlled by
the user. It can lead to an integer overflow when we do:
num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
If we strip away the macro then that line looks like this:
num_sgs = (uurb->buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's the first addition which can overflow.
Fixes: 1129d270cbfb ("USB: Increase usbfs transfer limit")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'kernel/trace/trace_functions_graph.c')
0 files changed, 0 insertions, 0 deletions