Commit 545c1037 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman

USB: devio: Prevent integer overflow in proc_do_submiturb()

commit 57999d11 upstream.

There used to be an integer overflow check in proc_do_submiturb() but
we removed it.  It turns out that it's still required.  The
uurb->buffer_length variable is a signed integer and it's controlled by
the user.  It can lead to an integer overflow when we do:

	num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);

If we strip away the macro then that line looks like this:

	num_sgs = (uurb->buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE;
It's the first addition which can overflow.

Fixes: 1129d270 ("USB: Increase usbfs transfer limit")
Signed-off-by: default avatarDan Carpenter <>
Acked-by: default avatarAlan Stern <>
Signed-off-by: default avatarGreg Kroah-Hartman <>
parent d6ab871c
......@@ -139,6 +139,9 @@ module_param(usbfs_memory_mb, uint, 0644);
"maximum MB allowed for usbfs buffers (0 = no limit)");
/* Hard limit, necessary to avoid arithmetic overflow */
#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000)
static atomic64_t usbfs_memory_usage; /* Total memory currently allocated */
/* Check whether it's okay to allocate more memory for a transfer */
......@@ -1459,6 +1462,8 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
return -EINVAL;
if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
return -EINVAL;
if (uurb->buffer_length > 0 && !uurb->buffer)
return -EINVAL;
if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment