From e65cdfae71cecec0fcd43a3f9ac8b5e4ae52db08 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Mon, 9 Apr 2012 15:48:55 -0400 Subject: usb: usbtest: avoid integer overflow in test_ctrl_queue() Avoid overflowing context.count = param->sglen * param->iterations, where both `sglen' and `iterations' are from userspace. | test_ctrl_queue() | usbtest_ioctl() Keep -EOPNOTSUPP for error code. Signed-off-by: Xi Wang Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/usbtest.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'drivers/usb/misc/usbtest.c') diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index 959145baf3c..967254afb6e 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -904,6 +904,9 @@ test_ctrl_queue(struct usbtest_dev *dev, struct usbtest_param *param) struct ctrl_ctx context; int i; + if (param->sglen == 0 || param->iterations > UINT_MAX / param->sglen) + return -EOPNOTSUPP; + spin_lock_init(&context.lock); context.dev = dev; init_completion(&context.complete); @@ -1981,8 +1984,6 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf) /* queued control messaging */ case 10: - if (param->sglen == 0) - break; retval = 0; dev_info(&intf->dev, "TEST 10: queue %d control calls, %d times\n", -- cgit v1.2.3-70-g09d2 From 8bde9a62ee74afa89f593c563e926d163b1f6ada Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Mon, 9 Apr 2012 15:48:45 -0400 Subject: usb: usbtest: avoid integer overflow in alloc_sglist() A large `nents' from userspace could overflow the allocation size, leading to memory corruption. | alloc_sglist() | usbtest_ioctl() Use kmalloc_array() to avoid the overflow. Signed-off-by: Xi Wang Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/usbtest.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb/misc/usbtest.c') diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index 967254afb6e..cac67dea2ba 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary) unsigned i; unsigned size = max; - sg = kmalloc(nents * sizeof *sg, GFP_KERNEL); + sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL); if (!sg) return NULL; sg_init_table(sg, nents); -- cgit v1.2.3-70-g09d2 From f4a728d09a96d6a83d9c3f39035b1aa7726892ea Mon Sep 17 00:00:00 2001 From: Julia Lawall Date: Sun, 25 Mar 2012 21:08:32 +0200 Subject: drivers/usb/misc/usbtest.c: add kfrees Free the two previously allocated buffers before exiting the function in an error case. Signed-off-by: Julia Lawall Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/usbtest.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/usb/misc/usbtest.c') diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index cac67dea2ba..9dcb68f04f0 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -2277,6 +2277,8 @@ usbtest_probe(struct usb_interface *intf, const struct usb_device_id *id) if (status < 0) { WARNING(dev, "couldn't get endpoints, %d\n", status); + kfree(dev->buf); + kfree(dev); return status; } /* may find bulk or ISO pipes */ -- cgit v1.2.3-70-g09d2