iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
57999d1107c1e60c2ca7088f2ac0f819e2f554b3
linux/drivers/usb/core
History
Dan Carpenter 57999d1107 USB: devio: Prevent integer overflow in proc_do_submiturb() 
There used to be an integer overflow check in proc_do_submiturb() but
we removed it.  It turns out that it's still required.  The
uurb->buffer_length variable is a signed integer and it's controlled by
the user.  It can lead to an integer overflow when we do:

	num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);

If we strip away the macro then that line looks like this:

	num_sgs = (uurb->buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE;
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's the first addition which can overflow.

Fixes: 1129d270cb ("USB: Increase usbfs transfer limit")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-09-25 10:57:13 +02:00
..
buffer.c
usb: separate out sysdev pointer from usb_bus
2017-03-23 08:20:21 +01:00
config.c
USB: fix out-of-bounds in usb_set_configuration
2017-09-19 17:27:16 +02:00
devices.c
usb: fix some references for /proc/bus/usb
2017-04-18 16:54:19 +02:00
devio.c
USB: devio: Prevent integer overflow in proc_do_submiturb()
2017-09-25 10:57:13 +02:00
driver.c
usb: hub: Do not attempt to autosuspend disconnected devices
2017-03-23 08:13:22 +01:00
endpoint.c
Merge tag 'usb-for-v4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next
2016-11-18 16:02:15 +01:00
file.c
USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously
2017-03-29 11:55:25 +02:00
generic.c
USB: core: add missing license information to some files
2016-10-29 12:51:56 -04:00
hcd-pci.c
USB / PCI / PM: Allow the PCI core to do the resume cleanup
2017-06-15 00:55:43 +02:00
hcd.c
Merge 4.13-rc5 into usb-next
2017-08-14 14:50:58 -07:00
hub.c
usb: Increase quirk delay for USB devices
2017-09-18 11:28:23 +02:00
hub.h
usb: Support USB 3.1 extended port status request
2016-01-24 20:16:52 -08:00
Kconfig
docs-rst: fix usb cross-references
2017-04-11 14:41:29 -06:00
ledtrig-usbport.c
usb: core: usbport: fix "BUG: key not in .data" when lockdep is enabled
2017-08-29 08:27:25 +02:00
Makefile
usb: add CONFIG_USB_PCI for system have both PCI HW and non-PCI based USB HW
2017-03-17 13:16:56 +09:00
message.c
USB: core: harden cdc_parse_cdc_header
2017-09-21 17:01:38 +02:00
notify.c
USB: core: add missing license information to some files
2016-10-29 12:51:56 -04:00
of.c
USB: of: document reference taken by child-lookup helper
2017-06-13 11:07:32 +02:00
otg_whitelist.h
usb: core: use IS_ENABLED() instead of checking for built-in or module
2016-09-02 14:36:33 +02:00
port.c
Revert "USB / PM: Allow USB devices to remain runtime-suspended when sleeping"
2016-05-02 08:44:31 -07:00
quirks.c
usb: Add device quirk for Logitech HD Pro Webcam C920-C
2017-08-28 11:43:39 +02:00
sysfs.c
usb: Convert to using %pOF instead of full_name
2017-07-22 15:56:53 +02:00
urb.c
USB: core: replace %p with %pK
2017-05-17 11:27:41 +02:00
usb-acpi.c
usb: optimize acpi companion search for usb port devices
2017-06-03 18:02:58 +09:00
usb.c
USB: of: fix root-hub device-tree node handling
2017-06-13 11:07:32 +02:00
usb.h
USB: core: add missing license information to some files
2016-10-29 12:51:56 -04:00