From: Johan Hovold <johan@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Johan Hovold <johan@kernel.org>,
Andrey Konovalov <andreyknvl@google.com>,
linux-usb@vger.kernel.org
Subject: USB: serial: visor: handle potential invalid device configuration
Date: Wed, 2 May 2018 09:50:04 +0200 [thread overview]
Message-ID: <20180502075004.GB2285@localhost> (raw)
On Sun, Apr 29, 2018 at 05:41:55PM +0200, Greg Kroah-Hartman wrote:
> If we get an invalid device configuration from a palm 3 type device, we
> might incorrectly parse things, and we have the potential to crash in
> "interesting" ways.
>
> Fix this up by verifying the size of the configuration passed to us by
> the device, and only if it is correct, will we handle it.
>
> Reported-by: Andrey Konovalov <andreyknvl@google.com>
> Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> ---
>
> Here is my long-forgotten patch for the visor driver to resolve an issue
> that Andrey found back in September of 2017. Sorry for the long delay.
>
> Johan, I incorporated your review comments of my original one-off patch
> here as well.
Thanks for the update. I've applied this for 4.17-rc now after adding a
stable tag and a comment about this one also fixing a slab info leak
(through that dev_info in the port loop below).
> diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
> index f5373ed2cd45..8ddbecc25d89 100644
> --- a/drivers/usb/serial/visor.c
> +++ b/drivers/usb/serial/visor.c
> @@ -335,47 +335,48 @@ static int palm_os_3_probe(struct usb_serial *serial,
> goto exit;
> }
>
> - if (retval == sizeof(*connection_info)) {
> - connection_info = (struct visor_connection_info *)
> - transfer_buffer;
> -
> - num_ports = le16_to_cpu(connection_info->num_ports);
> - for (i = 0; i < num_ports; ++i) {
> - switch (
> - connection_info->connections[i].port_function_id) {
> - case VISOR_FUNCTION_GENERIC:
> - string = "Generic";
> - break;
> - case VISOR_FUNCTION_DEBUGGER:
> - string = "Debugger";
> - break;
> - case VISOR_FUNCTION_HOTSYNC:
> - string = "HotSync";
> - break;
> - case VISOR_FUNCTION_CONSOLE:
> - string = "Console";
> - break;
> - case VISOR_FUNCTION_REMOTE_FILE_SYS:
> - string = "Remote File System";
> - break;
> - default:
> - string = "unknown";
> - break;
> - }
> - dev_info(dev, "%s: port %d, is for %s use\n",
> - serial->type->description,
> - connection_info->connections[i].port, string);
> - }
Johan
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next reply other threads:[~2018-05-02 7:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-02 7:50 Johan Hovold [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-05-02 11:12 USB: serial: visor: handle potential invalid device configuration Greg Kroah-Hartman
2018-04-29 15:41 Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180502075004.GB2285@localhost \
--to=johan@kernel.org \
--cc=andreyknvl@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.