On Sun, Apr 19, 2020 at 10:04:06PM +0000, Changming Liu wrote: > Hi Thomas, > Greetings, I'm a first-year PhD student who is interested in using UBSan for linux kernel. With some experiments, I found that in > drivers/usb/misc/sisusbvga/sisusb.c sisusb_getidxreg, there is an signed integer overflow which might cause unexpected result. > > More specifically, starting from the fetch function in func sisusb_ioctl, line 2959, struct sisusb_command y is filled with data from user space. Then diving into > sisusb_handle_command, the signed integer, named port, is casted from y->data3. > Then when executing sisusb_getidxreg, the signed integer, port, is used as 32-bit unsigned address in function sisusb_write_memio_byte. Great, can you provide a patch fixing this so we can give you the proper credit for finding and fixing the issue? thanks, greg k-h
