From patchwork Thu Sep 1 14:59:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 12962801 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28B44C64991 for ; Thu, 1 Sep 2022 15:00:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234488AbiIAPAl (ORCPT ); Thu, 1 Sep 2022 11:00:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234594AbiIAPAT (ORCPT ); Thu, 1 Sep 2022 11:00:19 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 949C827CD1; Thu, 1 Sep 2022 08:00:14 -0700 (PDT) Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 281Diq42026697; Thu, 1 Sep 2022 15:00:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : content-type : mime-version; s=corp-2022-7-12; bh=jpB7+5SDTQvgelHtdlGUo71KB1UYAJdQ15HdPcSXXAY=; b=Dhtz5tUfwAyPy41fvDFw/347oDDJO82w5tUfJNEJ6p0mjT6mWrfzLsdlkqxIiZyvUXTC Z7X7QrzozG2EPpqoG+gcWK2krEYbD9vjHJVtaeA6ofF8Dm/7me11sZLsRNKjJ0L2GV5b DKaNvHheWmbFKKwIW76P3Wjbm7+PUNGPsa43+kZTxxAM7d76XyVL2fCkayqiZ46LYDXc T1ofRGRHm5U7isEnuJgbwfBJAtYvlb668jEHuCtfM3OCpXXzuZu+XE6JbQneRJucrHZD dt/7F3bAxlqqZO3Tfyz+4u4/mttrAGBTZ+tQIMAyFy60gl54HLI3nOofZYdsgeYtZn9h BA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3j7avsmh19-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 01 Sep 2022 15:00:01 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 281E1SSm027707; Thu, 1 Sep 2022 15:00:00 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3j79q6asru-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 01 Sep 2022 15:00:00 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G8Ic54G5MJ004uIOwjdo3RhUZ0lCFoUeJPBya3jgunObGLYUkwhjWfBiOmGK3VzBF/TYdSCO1HTVAEQNbwXs/vNN40y9DPS7ltAPoWN7gHJE14zpQi/7iIvz4Q6/KDiqkg8c1+dL56Kgmtfg8G8dnjRQGabvhZnxbmaGWSkE69UHRIsmk4U/A1uovjMHFeFlhFMNEWrUUqTHCxX3KScDiZ9BKIK5kwkvwErsi7ebPQF12Jzha4qxVROwrYAVdZ5DObLbBtobCVXqqHnugGjSHL3J3YWt88eb6HJ7BREX1eHiiXCfQPibxSyQuD7VNLc5G4TReLSc7LJcZuELdCfYQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jpB7+5SDTQvgelHtdlGUo71KB1UYAJdQ15HdPcSXXAY=; b=KpaHMQmIfrO9ttAPAzTYJ3pirRY4z6FH4+8yCH3r/UgmxO3L6HU6pjuNUhAsBbY7dx4+nx+SUI1Bc9ps+D/80d/kVGqgyVa5nBjxgx19YuLsa/3X0YL07ttCPhtsHItwFbwj+Y7YH51fNXperOfHf9Buy/hZQO/JohJHoKYSluTlEAKYCuT1DpiPLAm8rRsmi2KU6KuUoXADgXnChTFpWJeqVIQCKKRTdZq9GRCSot8OYL0K87i5fqTiJKdSRCWWqJrSjIYQNMQOOPNLHgtub5yjIPh5fUal73noLRs9ndvbPZjofae+cXPVtmH/m9Uk1n0KWZadYp+Bi1gGciISJQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jpB7+5SDTQvgelHtdlGUo71KB1UYAJdQ15HdPcSXXAY=; b=xf6cv44rXXkOUL7m3etczAEQxRnU09BXqEdAVWrS9LrvuzrgRKrf/YmXiw1D6i0F/N/lsvtNfuwsA2cUBffRZelO2sN9zRuKc48vjUCp3osmFfgo0pLdizBPY/HblQG5i2CWthS9faL7OQZ22omM+D/nI6mYjo/4XZTCiOph+Mo= Received: from MWHPR1001MB2365.namprd10.prod.outlook.com (2603:10b6:301:2d::28) by BLAPR10MB5313.namprd10.prod.outlook.com (2603:10b6:208:331::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5588.10; Thu, 1 Sep 2022 14:59:57 +0000 Received: from MWHPR1001MB2365.namprd10.prod.outlook.com ([fe80::209e:de4d:68ea:c026]) by MWHPR1001MB2365.namprd10.prod.outlook.com ([fe80::209e:de4d:68ea:c026%3]) with mapi id 15.20.5566.021; Thu, 1 Sep 2022 14:59:57 +0000 Date: Thu, 1 Sep 2022 17:59:42 +0300 From: Dan Carpenter To: Felipe Balbi Cc: Greg Kroah-Hartman , John Keeping , Linyu Yuan , Jens Axboe , Vincent Pelletier , Udipto Goswami , linux-usb@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] usb: gadget: f_fs: stricter integer overflow checks Message-ID: Content-Disposition: inline X-Mailer: git-send-email haha only kidding X-ClientProxiedBy: ZR0P278CA0008.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:16::18) To MWHPR1001MB2365.namprd10.prod.outlook.com (2603:10b6:301:2d::28) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f3889190-1b81-40f4-1756-08da8c2aa2c2 X-MS-TrafficTypeDiagnostic: BLAPR10MB5313:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /hzZf5MbDGeYO3HfS3J7oWulVWH50umzGh0Sb9Kx2DE3GPRDHr4givwOVSE7OZW/uyt88f95Pda4N6gkZ1eLfNqZ3oroM2f/69jGEwipWWV+EbDAog88hIgdyHMpXNvBY8grNWlBJx1mdcT0T2sKSawzEEzIP4tNYkEwnZIzIPBaXiKik1w5v3dMhtViL8mdgAt4Z2R6KgZP2J10K2vCyqaTa4YAAYmWoW2iXeE4Qm80rcuQchnNRy6V+JWNqNiT3AMGxzn/9wRC6Sb0Nsp7cfenEmDhRVfL8SAVCRFCFkIhMZTNhYVHFfib5sLmp48cy1TQuaGM5KsTPUxzaOlLa87Ep4Skb28aI98FAjGUaINgu1oKBrLzP02qAQUnd6JOZVt06rORXkzwN8txBgiPO/95bAfSTic/JuRHUFcuo8NaRenMlHzCKdcpF80tBmlSx6KDiQQu4wfnW1BFLGyZ2r8MFPk1Op4vpg8DrIG/RkKDi1vJ2PDDC0nUHC7Pi1LqJbl68YCC6amZWdqLs7ggbouzyxPXOp7yxlA2rM1XOrOzCRrzF20ShCcXqFq5HGvLzXbyBCb8jSIMLWf2GwzzZL7xoSd6vI6TyF9UrKJ3OPXb4bdPpRE//8/phJ7ES3UAOjH/AiATWwejINg2zUpakRo2keBlvWK8kW0ETQQIdF8mXf5iH/NQVrX3kz1yvvD/tn/sft7yFabxQscqWTHe0AJdx96Yo3miIbdgoCsgsg+pDhPBi/9lC+l803a6yTYI2PeJxlC9pdM3Z0kOtOjyWg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR1001MB2365.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(7916004)(136003)(396003)(346002)(366004)(39860400002)(376002)(86362001)(52116002)(6916009)(6666004)(5660300002)(44832011)(33716001)(186003)(6506007)(8936002)(41300700001)(316002)(54906003)(9686003)(38350700002)(8676002)(6512007)(38100700002)(83380400001)(2906002)(66946007)(66556008)(4326008)(478600001)(6486002)(66476007)(26005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: TE135L9t1vHf2PNPs8zn9F9UC3nwYTqxdqtkoGdNWUWc5apk1lfXo0gJEICQjOHoSck9tLlHHKA5nXhxv+fREq/RItWhCHTkdQLdqIwwWNsR9KtRwWEPZoM+a5AFKfZwSI0qRJDlbDG1OkkABryKy5kOKtciYw07BYJyxM1eAiAlCaCqJbZOQsyfOEjVCMRfBDq1DVhKVLnfxLZIQmPYIGLyQ+1yGQrkxdhYizXsOJrgoNC70qeIpMREbK6bVHPYUSaqGma1G3RONMccgPUVRS3rNO3cF7NM/GeXoPUM42Kh2eNJPWf11m88wR5klrKkAU9EhIN0nXtK5e2znTXhnPOJqwDog7bi/r/Wa1tcNYVARs2BGNP9t5xEDZvifq/zGh/0XkQFEMcb3yhhEBSD1QQK1swXqgxITLOVhMUIQWfA/2U+WSsUYspAJwe1aVMASbaFTsNvkMFjpxGC0NN8Km+yxXcmpEM8FCDktEkYiW+zR6Qp9KdwT6wNvjNFEABsZHDxjKGWX1WaeqGuk1r7wMgOZzk2qhrEeN+lU1prLCnebzuKnKSUgnx2NtUE033ugIxwHOhKaRIreF9qSPf+Q0inFD+Wfq8CcJLZ5LV3jzWliYWdqN8NyU2saHR0GfmUCyA/JcaDAiFzim6+9TV5odK4nN/y7PK/KKdZNlwq7IwWOIuQuBRmrib3BlIw06XNCzFWWR7XRRt6kJ969HX4cFRpFeb8/h1SBuX1s5mcPU7USTfzntV5AU0SELiFCfl65Ux7aZsmTAZBnxhxO++ml2FVvjHTDLLZ42NX/m/KfDn3He4kidVpYdEaUOkRJ9OLvaX0cPgWbXISjI+PQzf4SjIr16X5zLxJCkr//mWA5ukdOyxuCfxSXNcTMaHmZtq4ZqzygV83rXS5Mf2l/UbAHlqJ2jKJdX2fEaEbgDDACdx5BlpIy0XjsCJCoaERhIXmmaQxwIsjahqA++u1rkB87Vc+hAl1kHzYDhPn0FPbQ9ynuw1/kV7nnxjcnLWCen7+ro+cy8RMMzNquP6UWy1tzzwn1WOGcLdMyUOszOMKDXzy/S7olN/qekoct/gO1ALBHn1f8KnSUB6FBBVuqEbG7VxxSQF0b6rQSzTy4YAucB9NsN+ZA7rMxNw0BkTV3Qgr/63ocFBshHiC7KTX2qNnbTPc2DvRtE3D+lrJjkVwgjyB3C6YGgnLqlgEgq6ioopCyJZ0ZKUXoEQRvlkpxdPOKQCQ8rCTwqsP90f0ncS9MPv5nlwlU9D4ViEV5PQxOXLlTm0V5FWzSkArwylSIiRMTdtC2fH+S1ADHJzKbjbnIXjJw9YNnztk38TcERL9gmDG8earTt/l61JOo4AErwGyxSqL6VEwC9Lth4JaUnbOrbeYpx1CsckxvnMAiO2D7mH5YhbpKhHn+Zjrm7OVn75SuQWikto8P8El5DdlGSyck4OnlJWo48koP3dyegv68DFARn4VloOvEi8cZDNW8wLV0CicEv+DdafN0nh2thcrIl/S10CbKMzkZG08RCuS6kGEMGuCwZXW/B4BlOnLSO7Fz3ggyDlA4z5OGYA5KQtOcIiSZt/o+bndWx5jIeC6IsF1lAALMNHDtMUEIyWfafGTog== X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: f3889190-1b81-40f4-1756-08da8c2aa2c2 X-MS-Exchange-CrossTenant-AuthSource: MWHPR1001MB2365.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Sep 2022 14:59:57.6146 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mhSf3RpmKlcQSg3ip0GdW5AfZI+7CTP2LsgvhXMsu/gWrZPV50i5yvFipgusCkqVESRC8fKSOzZU/CWnk51LpIcgE+wc+43WV60dEDZRnUc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR10MB5313 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-09-01_10,2022-08-31_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 malwarescore=0 suspectscore=0 spamscore=0 adultscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2209010068 X-Proofpoint-GUID: fIoJOuNmqnYFjpSvnB16oEl1KdiyCEyr X-Proofpoint-ORIG-GUID: fIoJOuNmqnYFjpSvnB16oEl1KdiyCEyr Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org This from static analysis. The vla_item() takes a size and adds it to the total. It has a built in integer overflow check so if it encounters an integer overflow anywhere then it records the total as SIZE_MAX. However there is an issue here because the "lang_count*(needed_count+1)" multiplication can overflow. Technically the "lang_count + 1" addition could overflow too, but that would be detected and is harmless. Fix both using the new size_add() and size_mul() functions. Fixes: e6f3862fa1ec ("usb: gadget: FunctionFS: Remove VLAIS usage from gadget code") Signed-off-by: Dan Carpenter --- The Fixes tag is arguably incorrect. Sometimes it is a philosophical question how to assign the Fixes tag. That was the patch which added checking for integer overflows. So that patch only made things better, but it accidentally left this from the original code. From a practical perspective, that patch is nine years old and anyone who hasn't applied it doesn't care about security. drivers/usb/gadget/function/f_fs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 98dc2291e9a1..73dc10a77cde 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -2645,10 +2645,10 @@ static int __ffs_data_got_strings(struct ffs_data *ffs, unsigned i = 0; vla_group(d); vla_item(d, struct usb_gadget_strings *, stringtabs, - lang_count + 1); + size_add(lang_count, 1)); vla_item(d, struct usb_gadget_strings, stringtab, lang_count); vla_item(d, struct usb_string, strings, - lang_count*(needed_count+1)); + size_mul(lang_count, (needed_count + 1))); char *vlabuf = kmalloc(vla_group_size(d), GFP_KERNEL);