[Linux-stable-mirror] Patch "USB: devio: Prevent integer overflow in proc_do_submiturb()" has been added to the 4.4-stable tree - Linux-stable-mirror

7 Dec 2017

This is a note to let you know that I've just added the patch titled
USB: devio: Prevent integer overflow in proc_do_submiturb()
to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is:
     usb-devio-prevent-integer-overflow-in-proc_do_submiturb.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let stable@vger.kernel.org know about it.
...
From 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 Mon Sep 17 00:00:00 2001
From: Dan Carpenter dan.carpenter@oracle.com
Date: Fri, 22 Sep 2017 23:43:25 +0300
Subject: USB: devio: Prevent integer overflow in proc_do_submiturb()
From: Dan Carpenter dan.carpenter@oracle.com
commit 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 upstream.
There used to be an integer overflow check in proc_do_submiturb() but
we removed it.  It turns out that it's still required.  The
uurb->buffer_length variable is a signed integer and it's controlled by
the user.  It can lead to an integer overflow when we do:
num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
If we strip away the macro then that line looks like this:
num_sgs = (uurb->buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE;
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's the first addition which can overflow.
Fixes: 1129d270cbfb ("USB: Increase usbfs transfer limit")
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
Acked-by: Alan Stern stern@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 drivers/usb/core/devio.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -118,6 +118,9 @@ module_param(usbfs_memory_mb, uint, 0644
 MODULE_PARM_DESC(usbfs_memory_mb,
    	"maximum MB allowed for usbfs buffers (0 = no limit)");
+/* Hard limit, necessary to avoid arithmetic overflow */
+#define USBFS_XFER_MAX         (UINT_MAX / 2 - 1000000)
+
 static atomic64_t usbfs_memory_usage;	/* Total memory currently allocated */
/* Check whether it's okay to allocate more memory for a transfer */
@@ -1298,6 +1301,8 @@ static int proc_do_submiturb(struct usb_
    			USBDEVFS_URB_ZERO_PACKET |
    			USBDEVFS_URB_NO_INTERRUPT))
    	return -EINVAL;
+	if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
+		return -EINVAL;
    if (uurb->buffer_length > 0 && !uurb->buffer)
    	return -EINVAL;
    if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
Patches currently in stable-queue which might be from dan.carpenter@oracle.com are
queue-4.4/usb-devio-prevent-integer-overflow-in-proc_do_submiturb.patch

    