Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3952073imm;
        Sun, 13 May 2018 23:50:26 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZq6s6IOoIcS3nOBt2YOMs1SJwq3cxmxHqDs9m9ww4uLwrbih8XNSVLYEuwHW+4MAqpTxbsv
X-Received: by 2002:a17:902:9883:: with SMTP id s3-v6mr8643872plp.179.1526280626870;
        Sun, 13 May 2018 23:50:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526280626; cv=none;
        d=google.com; s=arc-20160816;
        b=PqgfChUUc3vZ9voY9xWOWzqAF+8i8Rg1Tfpz3Ymm1b/rFzn6c6/n+gk3V3XNLYbfaN
         qX5AKZMtNgTOQuD6wsTlFF8/PnjANXITlf07c9OyptmA+FvIeqWA7W51iZd79xXbIT6n
         6LMYhnTYU3iBq84y+L/D1QhbSpDQREaNwnNwof0m8jeDlM6IYVPlMw7Cd1dLA7JEkA9Y
         WVw1HDpH5IkxWTJamy+ReGdgwPHSUU572w+xYCsoIX0fu15btWvwsgEt8bBxBggdxkso
         w7mcwn8/ncL7iHkCMoH4V76kfnG9XtqHxmuwHmaeij63Osp/b8uO7NO4nDgqYnCJiGFq
         fiJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=95JgR/cCMwLcmY0Wy5y5NuESw6EFSOC3EL6iOVlsBXs=;
        b=qtuEadepVNAxwdXgcv2s3n36BL2JhNZMWC3wqfLK2OXCnPBeCubV9qrAAR2YdglyvL
         ValOA5k/bjMjthxi/zGRpmM9SrSdtkcS8ynY/0rZ6SWEIAKrgY+JdNtFwS/gSloN7D4q
         l9glVmzE6LknTQzXGqKTSKGAxdhYNfpbRbJTo/7RSL5P0kGByZXBLDhdTlU93r98xO+l
         3u9VQIoXvfvpEaEaLs8101QjqE9ZCaZsUG0zZuUWxwtBvrEyWqDbokIsM9vVOStA+edC
         5w70U9+oF2icagpj5d6qUaIjFggKDZ+BjWSN5OX/cyz/f3gK8Xc/ZGkkQPOKlBlcZ4Pe
         rjrw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=rkAHuY7o;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m2-v6si7274972pgs.349.2018.05.13.23.50.12;
        Sun, 13 May 2018 23:50:26 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=rkAHuY7o;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752121AbeENGt7 (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Mon, 14 May 2018 02:49:59 -0400
Received: from mail.kernel.org ([198.145.29.99]:56604 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751533AbeENGt4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 May 2018 02:49:56 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 1509920834;
        Mon, 14 May 2018 06:49:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1526280595;
        bh=bKWk5py+TYE2GejsmPGW5ESWVie42wz16tc+p1ylCfc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=rkAHuY7o+Ad42yCWx8DNGwRUaGdDD+pvXW42/dNjHXAPSKxKG9JF/JTCgGhBB2QY8
         VI7LAodvZXMzM8qydmxFxZ75mxGa0piBUpxFvqmrpphuwBRfttvalJ0Vj6IG94C/HB
         7Rd5rNASkhix0kS+xDutMabK4GfNueu5x2xUTTBU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
        Johan Hovold <johan@kernel.org>
Subject: [PATCH 3.18 10/23] USB: serial: visor: handle potential invalid device configuration
Date:   Mon, 14 May 2018 08:48:39 +0200
Message-Id: <20180514064704.497600777@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180514064704.046463679@linuxfoundation.org>
References: <20180514064704.046463679@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4842ed5bfcb9daf6660537d70503c18d38dbdbb8 upstream.

If we get an invalid device configuration from a palm 3 type device, we
might incorrectly parse things, and we have the potential to crash in
"interesting" ways.

Fix this up by verifying the size of the configuration passed to us by
the device, and only if it is correct, will we handle it.

Note that this also fixes an information leak of slab data.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ johan: add comment about the info leak ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/visor.c |   69 ++++++++++++++++++++++-----------------------
 1 file changed, 35 insertions(+), 34 deletions(-)

--- a/drivers/usb/serial/visor.c
+++ b/drivers/usb/serial/visor.c
@@ -338,47 +338,48 @@ static int palm_os_3_probe(struct usb_se
 		goto exit;
 	}
 
-	if (retval == sizeof(*connection_info)) {
-			connection_info = (struct visor_connection_info *)
-							transfer_buffer;
-
-		num_ports = le16_to_cpu(connection_info->num_ports);
-		for (i = 0; i < num_ports; ++i) {
-			switch (
-			   connection_info->connections[i].port_function_id) {
-			case VISOR_FUNCTION_GENERIC:
-				string = "Generic";
-				break;
-			case VISOR_FUNCTION_DEBUGGER:
-				string = "Debugger";
-				break;
-			case VISOR_FUNCTION_HOTSYNC:
-				string = "HotSync";
-				break;
-			case VISOR_FUNCTION_CONSOLE:
-				string = "Console";
-				break;
-			case VISOR_FUNCTION_REMOTE_FILE_SYS:
-				string = "Remote File System";
-				break;
-			default:
-				string = "unknown";
-				break;
-			}
-			dev_info(dev, "%s: port %d, is for %s use\n",
-				serial->type->description,
-				connection_info->connections[i].port, string);
-		}
+	if (retval != sizeof(*connection_info)) {
+		dev_err(dev, "Invalid connection information received from device\n");
+		retval = -ENODEV;
+		goto exit;
 	}
-	/*
-	* Handle devices that report invalid stuff here.
-	*/
+
+	connection_info = (struct visor_connection_info *)transfer_buffer;
+
+	num_ports = le16_to_cpu(connection_info->num_ports);
+
+	/* Handle devices that report invalid stuff here. */
 	if (num_ports == 0 || num_ports > 2) {
 		dev_warn(dev, "%s: No valid connect info available\n",
 			serial->type->description);
 		num_ports = 2;
 	}
 
+	for (i = 0; i < num_ports; ++i) {
+		switch (connection_info->connections[i].port_function_id) {
+		case VISOR_FUNCTION_GENERIC:
+			string = "Generic";
+			break;
+		case VISOR_FUNCTION_DEBUGGER:
+			string = "Debugger";
+			break;
+		case VISOR_FUNCTION_HOTSYNC:
+			string = "HotSync";
+			break;
+		case VISOR_FUNCTION_CONSOLE:
+			string = "Console";
+			break;
+		case VISOR_FUNCTION_REMOTE_FILE_SYS:
+			string = "Remote File System";
+			break;
+		default:
+			string = "unknown";
+			break;
+		}
+		dev_info(dev, "%s: port %d, is for %s use\n",
+			serial->type->description,
+			connection_info->connections[i].port, string);
+	}
 	dev_info(dev, "%s: Number of ports: %d\n", serial->type->description,
 		num_ports);