From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:59044 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726061AbeIXN3m (ORCPT
        <rfc822;stable@vger.kernel.org>); Mon, 24 Sep 2018 09:29:42 -0400
Date: Mon, 24 Sep 2018 09:28:56 +0200
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Johan Hovold <johan@kernel.org>
Cc: stable <stable@vger.kernel.org>
Subject: Re: [PATCH stable-4.4] USB: serial: ti_usb_3410_5052: fix array
 underflow in completion handler
Message-ID: <20180924072856.GA26056@kroah.com>
References: <153773072566155@kroah.com>
 <20180924071917.14149-1-johan@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180924071917.14149-1-johan@kernel.org>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Mon, Sep 24, 2018 at 09:19:17AM +0200, Johan Hovold wrote:
> commit 5dfdd24eb3d39d815bc952ae98128e967c9bba49 upstream.
> 
> Similarly to a recently reported bug in io_ti, a malicious USB device
> could set port_number to a negative value and we would underflow the
> port array in the interrupt completion handler.
> 
> As these devices only have one or two ports, fix this by making sure we
> only consider the seventh bit when determining the port number (and
> ignore bits 0xb0 which are typically set to 0x30).
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
>  drivers/usb/serial/ti_usb_3410_5052.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Thanks, now queued up.

greg k-h