From mboxrd@z Thu Jan 1 00:00:00 1970 From: Greg KH Subject: Re: [PATCH v2] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Date: Wed, 12 Dec 2018 12:40:24 +0100 Message-ID: <20181212114024.GA26559@kroah.com> References: <20181209163245.GA25484@kroah.com> <20181210080443.GA27035@kroah.com> <20181210125020.64nybfkrotjun7rw@linutronix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "David S. Miller" , netdev@vger.kernel.org, linux-usb@vger.kernel.org, Hui Peng , Mathias Payer To: Sebastian Andrzej Siewior Return-path: Received: from mail.kernel.org ([198.145.29.99]:53784 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726869AbeLLLk1 (ORCPT ); Wed, 12 Dec 2018 06:40:27 -0500 Content-Disposition: inline In-Reply-To: <20181210125020.64nybfkrotjun7rw@linutronix.de> Sender: netdev-owner@vger.kernel.org List-ID: On Mon, Dec 10, 2018 at 01:50:20PM +0100, Sebastian Andrzej Siewior wrote: > On 2018-12-10 09:04:43 [+0100], Greg KH wrote: > > From: Hui Peng > > > > The function hso_probe reads if_num from the USB device (as an u8) and uses > > it without a length check to index an array, resulting in an OOB memory read > > in hso_probe or hso_get_config_data. Added a length check for both locations > > and updated hso_probe to bail on error. > > The function hso_probe reads if_num from the USB device (as an u8) and uses > it without a length check to index an array, resulting in an OOB memory read > in hso_probe or hso_get_config_data. > > Add a length check for both locations and update hso_probe to bail on > error. > > > This issue has been assigned CVE-2018-19985. > > > > Reported-by: Hui Peng > > Reported-by: Mathias Payer > > Signed-off-by: Hui Peng > > Signed-off-by: Mathias Payer > > Signed-off-by: Greg Kroah-Hartman > > Reviewed-by: Sebastian Andrzej Siewior Thanks, will update the changelog and add resend. greg k-h