usb: potential integer overflow in usbg_make_tpg()
[ Upstream commit 153874010354d050f62f8ae25cbb960c17633dc5 ]
The variable tpgt in usbg_make_tpg() is defined as unsigned long and is
assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an
integer overflow when tpgt is greater than USHRT_MAX (65535). I
haven't tried to trigger it myself, but it is possible to trigger it
by calling usbg_make_tpg() with a large value for tpgt.
I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the
relevant code accordingly.
This patch is similar to commit 59c816c1f2 ("vhost/scsi: potential
memory corruption").
Signed-off-by: Chen Yufeng <chenyufeng@iie.ac.cn>
Link: https://lore.kernel.org/r/20250415065857.1619-1-chenyufeng@iie.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Chen Yufeng
committed by
Greg Kroah-Hartman
Greg Kroah-Hartman
parent
a8d1b4f219
commit
a33f507f36
@@ -1297,14 +1297,14 @@ static struct se_portal_group *usbg_make_tpg(struct se_wwn *wwn,
|
|||||||
struct usbg_tport *tport = container_of(wwn, struct usbg_tport,
|
struct usbg_tport *tport = container_of(wwn, struct usbg_tport,
|
||||||
tport_wwn);
|
tport_wwn);
|
||||||
struct usbg_tpg *tpg;
|
struct usbg_tpg *tpg;
|
||||||
unsigned long tpgt;
|
u16 tpgt;
|
||||||
int ret;
|
int ret;
|
||||||
struct f_tcm_opts *opts;
|
struct f_tcm_opts *opts;
|
||||||
unsigned i;
|
unsigned i;
|
||||||
|
|
||||||
if (strstr(name, "tpgt_") != name)
|
if (strstr(name, "tpgt_") != name)
|
||||||
return ERR_PTR(-EINVAL);
|
return ERR_PTR(-EINVAL);
|
||||||
if (kstrtoul(name + 5, 0, &tpgt) || tpgt > UINT_MAX)
|
if (kstrtou16(name + 5, 0, &tpgt))
|
||||||
return ERR_PTR(-EINVAL);
|
return ERR_PTR(-EINVAL);
|
||||||
ret = -ENODEV;
|
ret = -ENODEV;
|
||||||
mutex_lock(&tpg_instances_lock);
|
mutex_lock(&tpg_instances_lock);
|
||||||
|
|||||||
Reference in New Issue
Block a user