Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp67849iof; Sun, 5 Jun 2022 21:20:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx3SQGunXTBL5GABXLagl5tVJI3d7j5ILo4zJ9YoiCevkMWpUb4Xp2FIkORe6wEBhvarDvj X-Received: by 2002:a17:902:700b:b0:167:736e:cfb1 with SMTP id y11-20020a170902700b00b00167736ecfb1mr6184609plk.36.1654489243421; Sun, 05 Jun 2022 21:20:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654489243; cv=none; d=google.com; s=arc-20160816; b=CPyeA1J3Ym0w1HA1kw3RUp1ZjeAz4g+dHsGLCQEcZoccyrqgdU+xK8PxeZUlejPa32 /vK3GoxxzFDOIBsDuLqAqCUfPrJ5MeFGZh8Aa0cJbkb0HBHaH+ODSw2c5F7uCPcdNtQ3 HvC2LpwjeINaDp3Fa4X+5hkG9yHoFuk0rI24bZfa2FGpBVc87QsdZbMMJDWACyo0/R+c LWRgB5oSoDzqbpRnTT1apQX4+sHLiiiKfHdfmCPL//Ckq8xxHHpG5bQzDzqI7i7Uhip8 JmmXNmFRPGOQ+5Rt/ws9axJ5T1WbVtaFg9y3sr5kGC+uCekAQQHap1QEw7HoN4TiI8Jn Xv/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:to:from:dkim-signature; bh=KPfJ09WlgY2YQKDQ1LP6rJs+yK3vnrBlKY9+sJDfkL8=; b=ckW3Mh5AtsqCQ/83hLxMs///4v5/wqQ2qBUGrXeyVX/zhvj5jjY6gAflhyXalIOC9K 00PhegOqCjr+OhoqsqK+iy3fXX/OKFiljSv4ojhqT9saexaDEvelgK+iBw1R8vTLfLS8 MgMF7pSU9CjjmL4etG42XNfCzSJCx1nay2FJTlHKfSvQSOco8zj4DE2SSIMjhnLDPdql QchzHxIFRCF85fpZeoxbmMdnxwQ20YSrEn3ZVGDFkcT8yvpuHGHIuuMR6mhZNl9GbdLP FYCL3Uglw/sqSgjGL2J2SPRiSNhdvBCXE6hn6mKfEI5CfC+cmIgaR3nHGl7imVvx1vAb tUyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=hBFm+bdx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id d5-20020a655885000000b003fd214bd9desi13015614pgu.446.2022.06.05.21.20.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Jun 2022 21:20:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=hBFm+bdx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 824B260059; Sun, 5 Jun 2022 20:53:49 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343653AbiFEMn4 (ORCPT + 99 others); Sun, 5 Jun 2022 08:43:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54880 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231252AbiFEMnz (ORCPT ); Sun, 5 Jun 2022 08:43:55 -0400 Received: from m12-16.163.com (m12-16.163.com [220.181.12.16]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B548B248C2 for ; Sun, 5 Jun 2022 05:43:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=KPfJ09WlgY2YQKDQ1L P6rJs+yK3vnrBlKY9+sJDfkL8=; b=hBFm+bdxMgHn4j3r4/fpQ921uOhFhNhr3i VUlLx0R8mr4KIdRMY0bczv7ioxXyK8ao5g9yL/b88sT2Q5qR00TQlov/fCXXedVo s80b7WSFflCAVe1biqMOVvGnDB5tWnOocwbvIlqidxPIWOeONQ/FXGMNaIeqTn+7 6ccGnnGqA= Received: from localhost.localdomain (unknown [202.112.113.212]) by smtp12 (Coremail) with SMTP id EMCowAAHpmrspJxilcQtAA--.6005S4; Sun, 05 Jun 2022 20:43:35 +0800 (CST) From: Xiaohui Zhang To: Xiaohui Zhang , Ian Abbott , H Hartley Sweeten , Greg Kroah-Hartman , Johan Hovold , linux-kernel@vger.kernel.org Subject: [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows Date: Sun, 5 Jun 2022 20:43:22 +0800 Message-Id: <20220605124322.33148-1-ruc_zhangxiaohui@163.com> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: EMCowAAHpmrspJxilcQtAA--.6005S4 X-Coremail-Antispam: 1Uf129KBjvJXoW7WFWDKFy3tFW7uFW7WFW8tFb_yoW8WF4rpF 4ruFy0kr45J3yIk3WDJwnrAF15Wa12qFW7KFWUuwnxZF43Awnakr1rtFyrtF95AF1SqF40 vwnrZFy5uF15AaUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0pRKii-UUUUU= X-Originating-IP: [202.112.113.212] X-CM-SenderInfo: puxfs6pkdqw5xldrx3rl6rljoofrz/1tbipRcXMFUMkGia3AAAsy X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: xiaohuizhang98 We detected a suspected bug with our code clone detection tool. Similar to the handling of vmk80xx_alloc_usb_buffers in commit a23461c47482("comedi: vmk80xx: fix transfer-buffer overflows"), we thought a patch might be needed here as well. The driver uses endpoint-sized USB transfer buffers but up until recently had no sanity checks on the sizes. Signed-off-by: xiaohuizhang98 --- drivers/comedi/drivers/ni_usb6501.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/comedi/drivers/ni_usb6501.c b/drivers/comedi/drivers/ni_usb6501.c index 0dd9edf7bced..3e2b9f4d840b 100644 --- a/drivers/comedi/drivers/ni_usb6501.c +++ b/drivers/comedi/drivers/ni_usb6501.c @@ -90,6 +90,7 @@ #include #define NI6501_TIMEOUT 1000 +#define MIN_BUF_SIZE 64 /* Port request packets */ static const u8 READ_PORT_REQUEST[] = {0x00, 0x01, 0x00, 0x10, @@ -459,12 +460,12 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev) struct ni6501_private *devpriv = dev->private; size_t size; - size = usb_endpoint_maxp(devpriv->ep_rx); + size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE); devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL); if (!devpriv->usb_rx_buf) return -ENOMEM; - size = usb_endpoint_maxp(devpriv->ep_tx); + size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE); devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); if (!devpriv->usb_tx_buf) return -ENOMEM; -- 2.17.1