From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:50920 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750869AbdCOIA2 (ORCPT ); Wed, 15 Mar 2017 04:00:28 -0400 Subject: Patch "USB: serial: io_ti: fix information leak in completion handler" has been added to the 4.9-stable tree To: johan@kernel.org, gregkh@linuxfoundation.org Cc: , From: Date: Wed, 15 Mar 2017 15:59:09 +0800 Message-ID: <1489564749194171@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled USB: serial: io_ti: fix information leak in completion handler to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: usb-serial-io_ti-fix-information-leak-in-completion-handler.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 654b404f2a222f918af9b0cd18ad469d0c941a8e Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Mon, 6 Mar 2017 17:36:40 +0100 Subject: USB: serial: io_ti: fix information leak in completion handler From: Johan Hovold commit 654b404f2a222f918af9b0cd18ad469d0c941a8e upstream. Add missing sanity check to the bulk-in completion handler to avoid an integer underflow that can be triggered by a malicious device. This avoids leaking 128 kB of memory content from after the URB transfer buffer to user space. Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/io_ti.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/serial/io_ti.c +++ b/drivers/usb/serial/io_ti.c @@ -1761,7 +1761,7 @@ static void edge_bulk_in_callback(struct port_number = edge_port->port->port_number; - if (edge_port->lsr_event) { + if (urb->actual_length > 0 && edge_port->lsr_event) { edge_port->lsr_event = 0; dev_dbg(dev, "%s ===== Port %u LSR Status = %02x, Data = %02x ======\n", __func__, port_number, edge_port->lsr_mask, *data); Patches currently in stable-queue which might be from johan@kernel.org are queue-4.9/usb-serial-digi_acceleport-fix-oob-event-processing.patch queue-4.9/usb-serial-omninet-fix-reference-leaks-at-open.patch queue-4.9/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch queue-4.9/usb-iowarrior-fix-null-deref-in-write.patch queue-4.9/usb-iowarrior-fix-null-deref-at-probe.patch queue-4.9/usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch queue-4.9/usb-serial-io_ti-fix-information-leak-in-completion-handler.patch queue-4.9/usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch