From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [1/2] USB: serial: io_ti: fix array underflow in completion handler From: Johan Hovold Message-Id: <20180821095953.19728-1-johan@kernel.org> Date: Tue, 21 Aug 2018 11:59:52 +0200 To: Johan Hovold Cc: Dan Carpenter , Greg Kroah-Hartman , linux-usb@vger.kernel.org, stable List-ID: QXMgcmVwb3J0ZWQgYnkgRGFuIENhcnBlbnRlciwgYSBtYWxpY2lvdXMgVVNCIGRldmljZSBjb3Vs ZCBzZXQKcG9ydF9udW1iZXIgdG8gLTMgYW5kIHdlIHdvdWxkIHVuZGVyZmxvdyB0aGUgcG9ydCBh cnJheSBpbiB0aGUgaW50ZXJydXB0CmNvbXBsZXRpb24gaGFuZGxlci4KCkFzIHRoZXNlIGRldmlj ZXMgb25seSBoYXZlIG9uZSBvciB0d28gcG9ydHMsIGZpeCB0aGlzIGJ5IG1ha2luZyBzdXJlIHdl Cm9ubHkgY29uc2lkZXIgdGhlIHNldmVudGggYml0IHdoZW4gZGV0ZXJtaW5pbmcgdGhlIHBvcnQg bnVtYmVyIChhbmQKaWdub3JlIGJpdHMgMHhiMCB3aGljaCBhcmUgdHlwaWNhbGx5IHNldCB0byAw eDMwKS4KCkZpeGVzOiAxZGExNzdlNGMzZjQgKCJMaW51eC0yLjYuMTItcmMyIikKQ2M6IHN0YWJs ZSA8c3RhYmxlQHZnZXIua2VybmVsLm9yZz4KUmVwb3J0ZWQtYnk6IERhbiBDYXJwZW50ZXIgPGRh bi5jYXJwZW50ZXJAb3JhY2xlLmNvbT4KU2lnbmVkLW9mZi1ieTogSm9oYW4gSG92b2xkIDxqb2hh bkBrZXJuZWwub3JnPgotLS0KIGRyaXZlcnMvdXNiL3NlcmlhbC9pb190aS5oIHwgMiArLQogMSBm aWxlIGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspLCAxIGRlbGV0aW9uKC0pCgpkaWZmIC0tZ2l0IGEv ZHJpdmVycy91c2Ivc2VyaWFsL2lvX3RpLmggYi9kcml2ZXJzL3VzYi9zZXJpYWwvaW9fdGkuaApp bmRleCBlNTNjNjgyNjEwMTcuLjliYmNlZTM3NTI0ZSAxMDA2NDQKLS0tIGEvZHJpdmVycy91c2Iv c2VyaWFsL2lvX3RpLmgKKysrIGIvZHJpdmVycy91c2Ivc2VyaWFsL2lvX3RpLmgKQEAgLTE3Myw3 ICsxNzMsNyBAQCBzdHJ1Y3QgdW1wX2ludGVycnVwdCB7CiB9ICBfX2F0dHJpYnV0ZV9fKChwYWNr ZWQpKTsKIAogCi0jZGVmaW5lIFRJVU1QX0dFVF9QT1JUX0ZST01fQ09ERShjKQkoKChjKSA+PiA0 KSAtIDMpCisjZGVmaW5lIFRJVU1QX0dFVF9QT1JUX0ZST01fQ09ERShjKQkoKChjKSA+PiA2KSAm IDB4MDEpCiAjZGVmaW5lIFRJVU1QX0dFVF9GVU5DX0ZST01fQ09ERShjKQkoKGMpICYgMHgwZikK ICNkZWZpbmUgVElVTVBfSU5URVJSVVBUX0NPREVfTFNSCTB4MDMKICNkZWZpbmUgVElVTVBfSU5U RVJSVVBUX0NPREVfTVNSCTB4MDQK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lj1-f194.google.com ([209.85.208.194]:34133 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726641AbeHUNTp (ORCPT ); Tue, 21 Aug 2018 09:19:45 -0400 From: Johan Hovold To: Johan Hovold Cc: Dan Carpenter , Greg Kroah-Hartman , linux-usb@vger.kernel.org, stable Subject: [PATCH 1/2] USB: serial: io_ti: fix array underflow in completion handler Date: Tue, 21 Aug 2018 11:59:52 +0200 Message-Id: <20180821095953.19728-1-johan@kernel.org> Sender: stable-owner@vger.kernel.org List-ID: As reported by Dan Carpenter, a malicious USB device could set port_number to -3 and we would underflow the port array in the interrupt completion handler. As these devices only have one or two ports, fix this by making sure we only consider the seventh bit when determining the port number (and ignore bits 0xb0 which are typically set to 0x30). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Reported-by: Dan Carpenter Signed-off-by: Johan Hovold --- drivers/usb/serial/io_ti.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/serial/io_ti.h b/drivers/usb/serial/io_ti.h index e53c68261017..9bbcee37524e 100644 --- a/drivers/usb/serial/io_ti.h +++ b/drivers/usb/serial/io_ti.h @@ -173,7 +173,7 @@ struct ump_interrupt { } __attribute__((packed)); -#define TIUMP_GET_PORT_FROM_CODE(c) (((c) >> 4) - 3) +#define TIUMP_GET_PORT_FROM_CODE(c) (((c) >> 6) & 0x01) #define TIUMP_GET_FUNC_FROM_CODE(c) ((c) & 0x0f) #define TIUMP_INTERRUPT_CODE_LSR 0x03 #define TIUMP_INTERRUPT_CODE_MSR 0x04 -- 2.18.0