[lvc-project] [PATCH v2 1/2] USB: sisusbvga: Fix integer overflow in sisusb_clear_vram

Vasiliy Kovalev kovalev at altlinux.org
Wed Feb 25 00:55:06 MSK 2026 

The boundary check in sisusb_clear_vram():

    if (address + length > sisusb->vrambase + sisusb->vramsize)
        length = sisusb->vrambase + sisusb->vramsize - address;

is subject to unsigned 32-bit integer overflow. When address is close to
UINT32_MAX and length is non-trivial, their sum wraps around and the
guard evaluates incorrectly, allowing the check to be bypassed.

The overflow condition requires length > UINT32_MAX - address. Since
address belongs to [vrambase; vrambase + vramsize) where vrambase is
0xd0000000, and length comes from userspace via SUCMD_CLRSCR as a 24-bit
value (max 0xFFFFFF), overflow is only reachable when sisusb->vramsize
exceeds 1 GiB. A compromised USB device can return an arbitrary value for
sisusb->vramsize via SR[0x14], making this condition reachable.

Use check_add_overflow() to detect the overflow explicitly and return 1.
This ensures the driver correctly rejects invalid parameters instead of
proceeding with wrapped-around values.

Found by Linux Verification Center (linuxtesting.org) with Svace.
Tested with 'USB Gadget Tests'[1]:

$ TEST=sisusbvga-fops-svace-int-overflow
$ echo $TEST > tests/list.txt && make && sudo ./check.sh

[1] Link: https://github.com/kovalev0/usb-gadget-tests
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable at vger.kernel.org>
Signed-off-by: Vasiliy Kovalev <kovalev at altlinux.org>
---
 drivers/usb/misc/sisusbvga/sisusbvga.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/misc/sisusbvga/sisusbvga.c b/drivers/usb/misc/sisusbvga/sisusbvga.c
index febf34f9f049..89d566d192aa 100644
--- a/drivers/usb/misc/sisusbvga/sisusbvga.c
+++ b/drivers/usb/misc/sisusbvga/sisusbvga.c
@@ -1301,6 +1301,7 @@ static int sisusb_clear_vram(struct sisusb_usb_data *sisusb,
 {
 	int ret, i;
 	ssize_t j;
+	u32 end_addr;
 
 	if (address < sisusb->vrambase)
 		return 1;
@@ -1308,7 +1309,10 @@ static int sisusb_clear_vram(struct sisusb_usb_data *sisusb,
 	if (address >= sisusb->vrambase + sisusb->vramsize)
 		return 1;
 
-	if (address + length > sisusb->vrambase + sisusb->vramsize)
+	if (check_add_overflow(address, (u32)length, &end_addr))
+		return 1;
+
+	if (end_addr > sisusb->vrambase + sisusb->vramsize)
 		length = sisusb->vrambase + sisusb->vramsize - address;
 
 	if (length <= 0)
-- 
2.50.1

More information about the lvc-project mailing list