From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Phong Tran <tranmanphong@gmail.com>,
syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 11/23] ISDN: hfcsusb: checking idx of ep configuration
Date: Fri, 26 Jul 2019 09:45:10 -0400 [thread overview]
Message-ID: <20190726134522.13308-11-sashal@kernel.org> (raw)
In-Reply-To: <20190726134522.13308-1-sashal@kernel.org>
From: Phong Tran <tranmanphong@gmail.com>
[ Upstream commit f384e62a82ba5d85408405fdd6aeff89354deaa9 ]
The syzbot test with random endpoint address which made the idx is
overflow in the table of endpoint configuations.
this adds the checking for fixing the error report from
syzbot
KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
The patch tested by syzbot [2]
Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com
[1]:
https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
[2]:
https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
Signed-off-by: Phong Tran <tranmanphong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 114f3bcba1b0..c60c7998af17 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1963,6 +1963,9 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id)
/* get endpoint base */
idx = ((ep_addr & 0x7f) - 1) * 2;
+ if (idx > 15)
+ return -EIO;
+
if (ep_addr & 0x80)
idx++;
attr = ep->desc.bmAttributes;
--
2.20.1
next prev parent reply other threads:[~2019-07-26 13:47 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 13:45 [PATCH AUTOSEL 4.4 01/23] ARM: riscpc: fix DMA Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 02/23] ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 03/23] kernel/module.c: Only return -EEXIST for modules that have finished loading Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 04/23] MIPS: lantiq: Fix bitfield masking Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 05/23] dmaengine: rcar-dmac: Reject zero-length slave DMA requests Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 06/23] fs/adfs: super: fix use-after-free bug Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 07/23] btrfs: fix minimum number of chunk errors for DUP Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 08/23] ceph: fix improper use of smp_mb__before_atomic() Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 09/23] scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 10/23] ACPI: fix false-positive -Wuninitialized warning Sasha Levin
2019-07-26 13:45 ` Sasha Levin [this message]
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 12/23] be2net: Signal that the device cannot transmit during reconfiguration Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 13/23] x86/apic: Silence -Wtype-limits compiler warnings Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 14/23] x86: math-emu: Hide clang warnings for 16-bit overflow Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 15/23] mm/cma.c: fail if fixed declaration can't be honored Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 16/23] coda: add error handling for fget Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 17/23] coda: fix build using bare-metal toolchain Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 18/23] uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 19/23] drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 20/23] ipc/mqueue.c: only perform resource calculation if user valid Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 21/23] floppy: fix div-by-zero in setup_format_params Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 22/23] floppy: fix out-of-bounds read in copy_buffer Sasha Levin
2019-07-26 13:45 ` [PATCH AUTOSEL 4.4 23/23] x86/kvm: Don't call kvm_spurious_fault() from .fixup Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190726134522.13308-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com \
--cc=tranmanphong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).