From nobody Fri Dec 19 17:24:20 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D014FC04A95 for ; Sat, 22 Oct 2022 08:10:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233038AbiJVIKY (ORCPT ); Sat, 22 Oct 2022 04:10:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34660 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232825AbiJVIGG (ORCPT ); Sat, 22 Oct 2022 04:06:06 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53F6E2D52D1; Sat, 22 Oct 2022 00:53:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E7A85B82DF1; Sat, 22 Oct 2022 07:52:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5EE28C433D6; Sat, 22 Oct 2022 07:52:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666425177; bh=vpqfbiunWovxa5YCg5882NV1JJiUtyPwMIje/6zZPJA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qFCPkfdksa00J3N81jhrmrP3e5nabk09v5RII6n94OzKGIkm8WfSk/EHb19b8NJH0 MLoqsVMyfwfR4HzrE7lj52GuQMpuIIAqLdoNEjxzWpiIkJazRbp9gxax4ZHJcCi1Y6 mx7nYLg84M1eqbm3ZbGmHDTeEGurMWocOQiznRwc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Sasha Levin Subject: [PATCH 5.19 416/717] usb: gadget: f_fs: stricter integer overflow checks Date: Sat, 22 Oct 2022 09:24:55 +0200 Message-Id: <20221022072516.609281185@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Dan Carpenter [ Upstream commit f57004b9d96755cd6a243b51c267be4016b4563c ] This from static analysis. The vla_item() takes a size and adds it to the total. It has a built in integer overflow check so if it encounters an integer overflow anywhere then it records the total as SIZE_MAX. However there is an issue here because the "lang_count*(needed_count+1)" multiplication can overflow. Technically the "lang_count + 1" addition could overflow too, but that would be detected and is harmless. Fix both using the new size_add() and size_mul() functions. Fixes: e6f3862fa1ec ("usb: gadget: FunctionFS: Remove VLAIS usage from gadg= et code") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YxDI3lMYomE7WCjn@kili Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/f_fs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/functi= on/f_fs.c index e0fa4b186ec6..36184a762527 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -2645,10 +2645,10 @@ static int __ffs_data_got_strings(struct ffs_data *= ffs, unsigned i =3D 0; vla_group(d); vla_item(d, struct usb_gadget_strings *, stringtabs, - lang_count + 1); + size_add(lang_count, 1)); vla_item(d, struct usb_gadget_strings, stringtab, lang_count); vla_item(d, struct usb_string, strings, - lang_count*(needed_count+1)); + size_mul(lang_count, (needed_count + 1))); =20 char *vlabuf =3D kmalloc(vla_group_size(d), GFP_KERNEL); =20 --=20 2.35.1