[v2] USB: sisusbvga: Fix integer overflow and NULL dereference

[PATCH v2 0/2] USB: sisusbvga: Fix integer overflow and NULL dereference

Vasiliy Kovalev posted 2 patches 1 month, 1 week ago

Diff against v1
Download series mbox

drivers/usb/misc/sisusbvga/sisusbvga.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

Expand all Fold all

[PATCH v2 0/2] USB: sisusbvga: Fix integer overflow and NULL dereference

Posted by Vasiliy Kovalev 1 month, 1 week ago

This series fixes two issues in the sisusbvga driver found by static
analysis and confirmed through testing with USB gadget emulation:

1. Integer overflow in boundary check of sisusb_clear_vram() that can be
   triggered by a compromised USB device reporting inflated VRAM size.

2. NULL pointer dereference in sisusb_read_mem_bulk() when both
   kernbuffer and userbuffer are NULL, causing immediate kernel panic.

Both issues are reproducible with the 'USB Gadget Tests' framework [1].

v2:
- Patch 2/2: Move NULL check into sisusb_read_mem_bulk() and
return -EINVAL (suggested by Fedor Pchelkin)

[1] https://github.com/kovalev0/usb-gadget-tests

Vasiliy Kovalev (2):
  USB: sisusbvga: Fix integer overflow in sisusb_clear_vram
  USB: sisusbvga: Fix NULL pointer dereference in sisusb_read_mem_bulk

 drivers/usb/misc/sisusbvga/sisusbvga.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

-- 
2.50.1