* [PATCH] usb: usbip: vhci_hcd: protect shift size
@ 2020-12-29 7:13 Randy Dunlap
0 siblings, 0 replies; only message in thread
From: Randy Dunlap @ 2020-12-29 7:13 UTC (permalink / raw)
To: linux-kernel
Cc: Randy Dunlap, syzbot+297d20e437b79283bf6d, Yuyang Du, Shuah Khan,
Greg Kroah-Hartman, linux-usb
Fix shift out-of-bounds in vhci_hcd.c:
UBSAN: shift-out-of-bounds in ../drivers/usb/usbip/vhci_hcd.c:399:41
shift exponent 768 is too large for 32-bit type 'int'
Fixes: 03cd00d538a6 ("usbip: vhci-hcd: Set the vhci structure up to work")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: syzbot+297d20e437b79283bf6d@syzkaller.appspotmail.com
Cc: Yuyang Du <yuyang.du@intel.com>
Cc: Shuah Khan <shuahkh@osg.samsung.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
---
drivers/usb/usbip/vhci_hcd.c | 2 ++
1 file changed, 2 insertions(+)
--- linux-5.10.orig/drivers/usb/usbip/vhci_hcd.c
+++ linux-5.10/drivers/usb/usbip/vhci_hcd.c
@@ -396,6 +396,8 @@ static int vhci_hub_control(struct usb_h
default:
usbip_dbg_vhci_rh(" ClearPortFeature: default %x\n",
wValue);
+ if (wValue >= 32)
+ goto error;
vhci_hcd->port_status[rhport] &= ~(1 << wValue);
break;
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-12-29 7:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-29 7:13 [PATCH] usb: usbip: vhci_hcd: protect shift size Randy Dunlap
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.