5.5

CVE-2026-31412

usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()

The `check_command_size_in_blocks()` function calculates the data size
in bytes by left shifting `common->data_size_from_cmnd` by the block
size (`common->curlun->blkbits`). However, it does not validate whether
this shift operation will cause an integer overflow.

Initially, the block size is set up in `fsg_lun_open()` , and the
`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During
initialization, there is no integer overflow check for the interaction
between two variables.

So if a malicious USB host sends a SCSI READ or WRITE command
requesting a large amount of data (`common->data_size_from_cmnd`), the
left shift operation can wrap around. This results in a truncated data
size, which can bypass boundary checks and potentially lead to memory
corruption or out-of-bounds accesses.

Fix this by using the check_shl_overflow() macro to safely perform the
shift and catch any overflows.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.3 < 6.1.167
LinuxLinux Kernel Version >= 6.2 < 6.6.130
LinuxLinux Kernel Version >= 6.7 < 6.12.78
LinuxLinux Kernel Version >= 6.13 < 6.18.19
LinuxLinux Kernel Version >= 6.19 < 6.19.9
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.065
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc
Patch
https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b
Patch
https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5
Patch
https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3
Patch
https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac
Patch
https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1
Patch