| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1453136811-15601-1-git-send-email-wuninsu@gmail.com> Date: Mon, 18 Jan 2016 12:06:51 -0500 From: Insu Yun <wuninsu@...il.com> To: gregkh@...uxfoundation.org, stefan.koch10@...il.com, stern@...land.harvard.edu, kborer@...il.com, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org Cc: taesoo@...ech.edu, yeongjin.jang@...ech.edu, insu@...ech.edu, changwoo@...ech.edu, Insu Yun <wuninsu@...il.com> Subject: [PATCH] usb: fix potential integer overflow in usb_sg_init If nents value is sufficient large, e.g 0x40000000, then it can overflow size in kmalloc and heap overflow happesns. Therefore nents value needs to be checked to prevent overflow. Signed-off-by: Insu Yun <wuninsu@...il.com> --- drivers/usb/core/message.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 8e641b5..53393d5 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -367,7 +367,8 @@ int usb_sg_init(struct usb_sg_request *io, struct usb_device *dev, if (!io || !dev || !sg || usb_pipecontrol(pipe) || usb_pipeisoc(pipe) - || nents <= 0) + || nents <= 0 + || nents >= UINT_MAX / sizeof(*io->urbs)) return -EINVAL; spin_lock_init(&io->lock); -- 1.9.1
Powered by blists - more mailing lists