* [PATCH] ueagle-atm: enforce boundary check for sync_wait[]
@ 2025-04-07 13:00 Alexey V. Vissarionov
2025-04-07 17:30 ` Stanislaw Gruszka
0 siblings, 1 reply; 2+ messages in thread
From: Alexey V. Vissarionov @ 2025-04-07 13:00 UTC (permalink / raw)
To: Matthieu CASTET
Cc: Stanislaw Gruszka, Greg Kroah-Hartman, Andrew Morton, linux-usb,
lvc-project, gremlin
After several increments of modem_index (e.g. after plugging and
removing the device several times) modem_index may reach NB_MODEM
value causing the out-of-boundary sync_wait[] array access.
Found by ALT Linux Team (altlinux.org) and Linux Verification Center
(linuxtesting.org).
Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver")
Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>
---
drivers/usb/atm/ueagle-atm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c
index cd0f7b4bd82ab132..436412b62c910e2f 100644
--- a/drivers/usb/atm/ueagle-atm.c
+++ b/drivers/usb/atm/ueagle-atm.c
@@ -2500,7 +2500,9 @@ static int uea_bind(struct usbatm_data *usbatm, struct usb_interface *intf,
if (ifnum != UEA_INTR_IFACE_NO)
return -ENODEV;
- usbatm->flags = (sync_wait[modem_index] ? 0 : UDSL_SKIP_HEAVY_INIT);
+ usbatm->flags =
+ modem_index < NB_MODEM && sync_wait[modem_index] ?
+ 0 : UDSL_SKIP_HEAVY_INIT;
/* interface 1 is for outbound traffic */
ret = claim_interface(usb, usbatm, UEA_US_IFACE_NO);
--
Alexey V. Vissarionov
gremlin ПРИ altlinux ТЧК org; +vii-cmiii-ccxxix-lxxix-xlii
GPG: 0D92F19E1C0DC36E27F61A29CD17E2B43D879005 @ hkp://keys.gnupg.net
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ueagle-atm: enforce boundary check for sync_wait[]
2025-04-07 13:00 [PATCH] ueagle-atm: enforce boundary check for sync_wait[] Alexey V. Vissarionov
@ 2025-04-07 17:30 ` Stanislaw Gruszka
0 siblings, 0 replies; 2+ messages in thread
From: Stanislaw Gruszka @ 2025-04-07 17:30 UTC (permalink / raw)
To: Alexey V. Vissarionov
Cc: Matthieu CASTET, Greg Kroah-Hartman, Andrew Morton, linux-usb,
lvc-project
On Mon, Apr 07, 2025 at 04:00:00PM +0300, Alexey V. Vissarionov wrote:
> After several increments of modem_index (e.g. after plugging and
> removing the device several times) modem_index may reach NB_MODEM
> value causing the out-of-boundary sync_wait[] array access.
>
> Found by ALT Linux Team (altlinux.org) and Linux Verification Center
> (linuxtesting.org).
>
> Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver")
> Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
> ---
> drivers/usb/atm/ueagle-atm.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c
> index cd0f7b4bd82ab132..436412b62c910e2f 100644
> --- a/drivers/usb/atm/ueagle-atm.c
> +++ b/drivers/usb/atm/ueagle-atm.c
> @@ -2500,7 +2500,9 @@ static int uea_bind(struct usbatm_data *usbatm, struct usb_interface *intf,
> if (ifnum != UEA_INTR_IFACE_NO)
> return -ENODEV;
>
> - usbatm->flags = (sync_wait[modem_index] ? 0 : UDSL_SKIP_HEAVY_INIT);
> + usbatm->flags =
> + modem_index < NB_MODEM && sync_wait[modem_index] ?
> + 0 : UDSL_SKIP_HEAVY_INIT;
>
> /* interface 1 is for outbound traffic */
> ret = claim_interface(usb, usbatm, UEA_US_IFACE_NO);
>
> --
> Alexey V. Vissarionov
> gremlin ПРИ altlinux ТЧК org; +vii-cmiii-ccxxix-lxxix-xlii
> GPG: 0D92F19E1C0DC36E27F61A29CD17E2B43D879005 @ hkp://keys.gnupg.net
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-04-07 17:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-07 13:00 [PATCH] ueagle-atm: enforce boundary check for sync_wait[] Alexey V. Vissarionov
2025-04-07 17:30 ` Stanislaw Gruszka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).