From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [2/2] USB: serial: ti_usb_3410_5052: fix array underflow in completion handler From: Johan Hovold Message-Id: <20180821095953.19728-2-johan@kernel.org> Date: Tue, 21 Aug 2018 11:59:53 +0200 To: Johan Hovold Cc: Dan Carpenter , Greg Kroah-Hartman , linux-usb@vger.kernel.org, stable List-ID: U2ltaWxhcmx5IHRvIGEgcmVjZW50bHkgcmVwb3J0ZWQgYnVnIGluIGlvX3RpLCBhIG1hbGljaW91 cyBVU0IgZGV2aWNlCmNvdWxkIHNldCBwb3J0X251bWJlciB0byAtMyBhbmQgd2Ugd291bGQgdW5k ZXJmbG93IHRoZSBwb3J0IGFycmF5IGluIHRoZQppbnRlcnJ1cHQgY29tcGxldGlvbiBoYW5kbGVy LgoKQXMgdGhlc2UgZGV2aWNlcyBvbmx5IGhhdmUgb25lIG9yIHR3byBwb3J0cywgZml4IHRoaXMg YnkgbWFraW5nIHN1cmUgd2UKb25seSBjb25zaWRlciB0aGUgc2V2ZW50aCBiaXQgd2hlbiBkZXRl cm1pbmluZyB0aGUgcG9ydCBudW1iZXIgKGFuZAppZ25vcmUgYml0cyAweGIwIHdoaWNoIGFyZSB0 eXBpY2FsbHkgc2V0IHRvIDB4MzApLgoKRml4ZXM6IDFkYTE3N2U0YzNmNCAoIkxpbnV4LTIuNi4x Mi1yYzIiKQpDYzogc3RhYmxlIDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5 OiBKb2hhbiBIb3ZvbGQgPGpvaGFuQGtlcm5lbC5vcmc+Ci0tLQogZHJpdmVycy91c2Ivc2VyaWFs L3RpX3VzYl8zNDEwXzUwNTIuYyB8IDIgKy0KIDEgZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigr KSwgMSBkZWxldGlvbigtKQoKZGlmZiAtLWdpdCBhL2RyaXZlcnMvdXNiL3NlcmlhbC90aV91c2Jf MzQxMF81MDUyLmMgYi9kcml2ZXJzL3VzYi9zZXJpYWwvdGlfdXNiXzM0MTBfNTA1Mi5jCmluZGV4 IDMwMTA4NzhmN2Y4ZS4uZTNjNTgzMjMzN2UwIDEwMDY0NAotLS0gYS9kcml2ZXJzL3VzYi9zZXJp YWwvdGlfdXNiXzM0MTBfNTA1Mi5jCisrKyBiL2RyaXZlcnMvdXNiL3NlcmlhbC90aV91c2JfMzQx MF81MDUyLmMKQEAgLTExMTksNyArMTExOSw3IEBAIHN0YXRpYyB2b2lkIHRpX2JyZWFrKHN0cnVj dCB0dHlfc3RydWN0ICp0dHksIGludCBicmVha19zdGF0ZSkKIAogc3RhdGljIGludCB0aV9nZXRf cG9ydF9mcm9tX2NvZGUodW5zaWduZWQgY2hhciBjb2RlKQogewotCXJldHVybiAoY29kZSA+PiA0 KSAtIDM7CisJcmV0dXJuIChjb2RlID4+IDYpICYgMHgwMTsKIH0KIAogc3RhdGljIGludCB0aV9n ZXRfZnVuY19mcm9tX2NvZGUodW5zaWduZWQgY2hhciBjb2RlKQo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lj1-f196.google.com ([209.85.208.196]:32830 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726641AbeHUNTr (ORCPT ); Tue, 21 Aug 2018 09:19:47 -0400 From: Johan Hovold To: Johan Hovold Cc: Dan Carpenter , Greg Kroah-Hartman , linux-usb@vger.kernel.org, stable Subject: [PATCH 2/2] USB: serial: ti_usb_3410_5052: fix array underflow in completion handler Date: Tue, 21 Aug 2018 11:59:53 +0200 Message-Id: <20180821095953.19728-2-johan@kernel.org> In-Reply-To: <20180821095953.19728-1-johan@kernel.org> References: <20180821095953.19728-1-johan@kernel.org> Sender: stable-owner@vger.kernel.org List-ID: Similarly to a recently reported bug in io_ti, a malicious USB device could set port_number to -3 and we would underflow the port array in the interrupt completion handler. As these devices only have one or two ports, fix this by making sure we only consider the seventh bit when determining the port number (and ignore bits 0xb0 which are typically set to 0x30). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Signed-off-by: Johan Hovold --- drivers/usb/serial/ti_usb_3410_5052.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c index 3010878f7f8e..e3c5832337e0 100644 --- a/drivers/usb/serial/ti_usb_3410_5052.c +++ b/drivers/usb/serial/ti_usb_3410_5052.c @@ -1119,7 +1119,7 @@ static void ti_break(struct tty_struct *tty, int break_state) static int ti_get_port_from_code(unsigned char code) { - return (code >> 4) - 3; + return (code >> 6) & 0x01; } static int ti_get_func_from_code(unsigned char code) -- 2.18.0