From: Xi Wang <xi.wang@gmail.com>
Date: Mon, 9 Apr 2012 19:48:45 +0000 (-0400)
Subject: usb: usbtest: avoid integer overflow in alloc_sglist()
X-Git-Tag: firefly_0821_release~3680^2~3034^2~11
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=8bde9a62ee74afa89f593c563e926d163b1f6ada;p=firefly-linux-kernel-4.4.55.git

usb: usbtest: avoid integer overflow in alloc_sglist()

A large `nents' from userspace could overflow the allocation size,
leading to memory corruption.

| alloc_sglist()
| usbtest_ioctl()

Use kmalloc_array() to avoid the overflow.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 967254afb6e8..cac67dea2bac 100644
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary)
 	unsigned		i;
 	unsigned		size = max;
 
-	sg = kmalloc(nents * sizeof *sg, GFP_KERNEL);
+	sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL);
 	if (!sg)
 		return NULL;
 	sg_init_table(sg, nents);