On Tue, Aug 23, 2022 at 11:53:26PM +0300, Sergey Shtylyov wrote:
> As follows from #define NAME_TEMPLATE, the procfs code in the RNDIS driver
> expects the # of instances to be 3-digit decimal, while the driver calls
> ida_simple_get() passing 0 as the 'end' argument which results in actual
> max instance # of INT_MAX. Limit the maximum # of RNDIS instances to 1000
> which is still a lot! :-)
>
> Found by Linux Verification Center (linuxtesting.org) with the SVACE static
> analysis tool.
>
> Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxx>
>
> ---
> This patch is against the 'next' branch of Felipe Balbi's 'usb.git' repo...
>
> drivers/usb/gadget/function/rndis.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Index: usb/drivers/usb/gadget/function/rndis.c
> ===================================================================
> --- usb.orig/drivers/usb/gadget/function/rndis.c
> +++ usb/drivers/usb/gadget/function/rndis.c
> @@ -865,7 +865,7 @@ EXPORT_SYMBOL_GPL(rndis_msg_parser);
>
> static inline int rndis_get_nr(void)
> {
> - return ida_simple_get(&rndis_ida, 0, 0, GFP_KERNEL);
> + return ida_simple_get(&rndis_ida, 0, 1000, GFP_KERNEL);
Why not just change the procfs code instead? It's not like anyone
should ever be using this driver anyway. We should delete it soon, it's
totally broken and insecure as noted in the past :(
thanks,
greg k-h
