Commitb1cd1b6

brookebasile

authored and

gregkh

committed

USB: gadget: u_f: add overflow checks to VLA macros

size can potentially hold an overflowed value if its assigned expressionis left unchecked, leading to a smaller than needed allocation whenvla_group_size() is used by callers to allocate memory.To fix this, add a test for saturation before declaring variables and anoverflow check to (n) * sizeof(type).If the expression results in overflow, vla_group_size() will return SIZE_MAX.Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>Suggested-by: Kees Cook <keescook@chromium.org>Signed-off-by: Brooke Basile <brookebasile@gmail.com>Acked-by: Felipe Balbi <balbi@kernel.org>Cc: stable <stable@kernel.org>Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 parentf1ec7ae commitb1cd1b6Copy full SHA for b1cd1b6

File tree

1 file changed

+27

-11

lines changed

drivers/usb/gadget
- u_f.h

1 file changed

+27

-11

lines changed

`‎drivers/usb/gadget/u_f.h‎`

Lines changed: 27 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,28 +14,44 @@`
`14`	`14`	`#define__U_F_H__`
`15`	`15`
`16`	`16`	`#include<linux/usb/gadget.h>`
	`17`	`+#include<linux/overflow.h>`
`17`	`18`
`18`	`19`	`/* Variable Length Array Macros **********************************************/`
`19`	`20`	`#definevla_group(groupname) size_t groupname##__next = 0`
`20`	`21`	`#definevla_group_size(groupname) groupname##__next`
`21`	`22`
`22`	`23`	`#definevla_item(groupname,type,name,n) \`
`23`	`24`	`size_t groupname##_##name##__offset = ({ \`
`24`		`-size_t align_mask = __alignof__(type) - 1; \`
`25`		`-size_t offset = (groupname##__next + align_mask) & ~align_mask;\`
`26`		`-size_t size = (n) * sizeof(type); \`
`27`		`-groupname##__next = offset + size; \`
	`25`	`+size_t offset = 0; \`
	`26`	`+if (groupname##__next != SIZE_MAX) { \`
	`27`	`+size_t align_mask = __alignof__(type) - 1; \`
	`28`	`+size_t offset = (groupname##__next + align_mask) \`
	`29`	`+ & ~align_mask; \`
	`30`	`+size_t size = array_size(n, sizeof(type)); \`
	`31`	`+if (check_add_overflow(offset, size, \`
	`32`	`+ &groupname##__next)) { \`
	`33`	`+groupname##__next = SIZE_MAX; \`
	`34`	`+offset = 0; \`
	`35`	`+} \`
	`36`	`+} \`
`28`	`37`	`offset; \`
`29`	`38`	`})`
`30`	`39`
`31`	`40`	`#definevla_item_with_sz(groupname,type,name,n) \`
`32`		`-size_t groupname##_##name##__sz = (n) * sizeof(type); \`
`33`		`-size_t groupname##_##name##__offset = ({ \`
`34`		`-size_t align_mask = __alignof__(type) - 1; \`
`35`		`-size_t offset = (groupname##__next + align_mask) & ~align_mask;\`
`36`		`-size_t size = groupname##_##name##__sz; \`
`37`		`-groupname##__next = offset + size; \`
`38`		`-offset; \`
	`41`	`+size_t groupname##_##name##__sz = array_size(n, sizeof(type)); \`
	`42`	`+size_t groupname##_##name##__offset = ({ \`
	`43`	`+size_t offset = 0;\`
	`44`	`+if (groupname##__next != SIZE_MAX) {\`
	`45`	`+size_t align_mask = __alignof__(type) - 1;\`
	`46`	`+size_t offset = (groupname##__next + align_mask)\`
	`47`	`+ & ~align_mask;\`
	`48`	`+if (check_add_overflow(offset, groupname##_##name##__sz,\`
	`49`	`+&groupname##__next)) {\`
	`50`	`+groupname##__next = SIZE_MAX;\`
	`51`	`+offset = 0;\`
	`52`	`+}\`
	`53`	`+}\`
	`54`	`+offset;\`
`39`	`55`	`})`
`40`	`56`
`41`	`57`	`#definevla_ptr(ptr,groupname,name) \`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb1cd1b6

File tree

1 file changed

1 file changed

`‎drivers/usb/gadget/u_f.h‎`

0 commit comments