Hello Laurent Pinchart, The patch cdda479f15cd: "USB gadget: video class function driver" from May 2, 2010, leads to the following static checker warning: drivers/usb/gadget/function/f_uvc.c:223 uvc_function_ep0_complete() error: overflow detected. memcpy() '&uvc_event->data.data' is 60 bytes. user controlled range = '0-64' drivers/usb/gadget/function/f_uvc.c 210 static void 211 uvc_function_ep0_complete(struct usb_ep *ep, struct usb_request *req) 212 { 213 struct uvc_device *uvc = req->context; 214 struct v4l2_event v4l2_event; 215 struct uvc_event *uvc_event = (void *)&v4l2_event.u.data; 216 217 if (uvc->event_setup_out) { 218 uvc->event_setup_out = 0; 219 220 memset(&v4l2_event, 0, sizeof(v4l2_event)); 221 v4l2_event.type = UVC_EVENT_DATA; 222 uvc_event->data.length = req->actual; 223 memcpy(&uvc_event->data.data, req->buf, req->actual); ^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^ It doesn't know the real limit of req->actual, but it's saying that there is a untrusted source which can pick a value between 0-64. 224 v4l2_event_queue(uvc->vdev, &v4l2_event); 225 } 226 } The untrusted source is in dummy_queue(). drivers/usb/gadget/udc/dummy_hcd.c 648 /* implement an emulated single-request FIFO */ 649 if (ep->desc && (ep->desc->bEndpointAddress & USB_DIR_IN) && 650 list_empty(&dum->fifo_req.queue) && 651 list_empty(&ep->queue) && 652 _req->length <= FIFO_SIZE) { ^^^^^^^^^^^^^^^^^^^^^^^^^^ _req->length is untrusted for some reason. This caps it at 0-64. 653 req = &dum->fifo_req; 654 req->req = *_req; 655 req->req.buf = dum->fifo_buf; 656 memcpy(dum->fifo_buf, _req->buf, _req->length); 657 req->req.context = dum; 658 req->req.complete = fifo_complete; 659 660 list_add_tail(&req->queue, &ep->queue); 661 spin_unlock(&dum->lock); 662 _req->actual = _req->length; ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Assigned to _req->actual. 663 _req->status = 0; 664 usb_gadget_giveback_request(_ep, _req); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ And down this call tree. 665 spin_lock(&dum->lock); There is another similar issue: drivers/usb/gadget/function/f_uac1.c:367 f_audio_complete() error: overflow detected. memcpy() '&data' is 4 bytes. user controlled range = '0-64' TODO-List: USB: gadget: potential overflow in uvc_function_ep0_complete(). regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html