Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3998994imm;
        Mon, 14 May 2018 00:43:22 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZogu5kFq4rbbEUbKKtOrPtRYhlg3FlwhiQEKHQ13+WQd92dYTD2wkyz7bxIQoWNfZEel7Cb
X-Received: by 2002:a63:b007:: with SMTP id h7-v6mr7584325pgf.448.1526283802189;
        Mon, 14 May 2018 00:43:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526283802; cv=none;
        d=google.com; s=arc-20160816;
        b=yzKSrFRhSFn+FawBzpOZz7rn7lKUjhuHPBeRWNetg1HJQAGZlWEM2z1Z7tKzeLGucD
         EZA18zpj37a4SeoaudaMxwpKqORADaMidBUUhtHbRA7fhMJ4q4ESRVVlwMyIyltVoXSQ
         LtpWSehGQ97lQka3XaAUKVMAgoHKFe+JVyQabfMeoJEQpsK7Fol7F0bSsrFQTHS+1E27
         BhDpwSVTpIl7N6YYcZYxlNaAUKnBZNIsteF9N6zf53RfUrQeEy5DqGeD7tHW67U3596i
         +707WzwHX1XRHI7b8bNG2A0/qCnTTpNV9MOIQTKzYPu4P0YIsj04bHHHzhTdw/n2Egsd
         /e0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=pBOXlOjhR2Gukt0xlSDevqBd1WmJPO/TAXrwcuHuI0Y=;
        b=Xny/gaxr7N7B1WRg/xnxTAqK4i72Unro1clq2IevCNiE2I3Vj5n4hM7+SUefHsQKKb
         TfXI4vm858n6SQ5ulxOAj+QKh2OEXME7Se6eu94bptLICAjkTJuPJqCNoFUuVl3Ubumc
         EZuDO8FjSI/pNr97JcURZmBiThkDNnWeYz4jkn8wXYEhdki98pqj8piZFdk6lo5eZnf9
         5cRgmkQZzBYzUSWJ5jgHtHaJaVGGeEaN/eblYHdd7u2RAIAnnIBviF3iVRU+nwOGRCEH
         0VHycRa4ukxIpz9EyJsRmRzxIO3jvgt6iz7J/0RdrI5uwbVqYoyYW2Dk2APxJTMI2KDD
         Pr1w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=hIpGYQqs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f64-v6si9216329pfd.123.2018.05.14.00.43.07;
        Mon, 14 May 2018 00:43:22 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=hIpGYQqs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752554AbeENGvt (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Mon, 14 May 2018 02:51:49 -0400
Received: from mail.kernel.org ([198.145.29.99]:58342 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752543AbeENGvq (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 May 2018 02:51:46 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 798CB21746;
        Mon, 14 May 2018 06:51:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1526280706;
        bh=1x7U1/7Tqnq2Psf6LI+RMLy7hQrmU/cA4XjvE18ZCpQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=hIpGYQqs+D8oLNwXnn0Sq3MPQvBZz5Ts1Nml/I0BE8mSrLRtgQfBDPyQ0heB9OgtC
         O4mglfRc+lC2EGAd2N08oHQcBVduw+emy9pKrHs0nurQbVa0xCiuo41wxm7+v3zFrN
         6+7hKXQHiP5Mfg8uRwczONCnVv6zsbppTjNMnqwQ=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
        Johan Hovold <johan@kernel.org>
Subject: [PATCH 4.4 26/56] USB: serial: visor: handle potential invalid device configuration
Date:   Mon, 14 May 2018 08:48:31 +0200
Message-Id: <20180514064757.368589623@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180514064754.853201981@linuxfoundation.org>
References: <20180514064754.853201981@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4842ed5bfcb9daf6660537d70503c18d38dbdbb8 upstream.

If we get an invalid device configuration from a palm 3 type device, we
might incorrectly parse things, and we have the potential to crash in
"interesting" ways.

Fix this up by verifying the size of the configuration passed to us by
the device, and only if it is correct, will we handle it.

Note that this also fixes an information leak of slab data.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ johan: add comment about the info leak ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/visor.c |   69 ++++++++++++++++++++++-----------------------
 1 file changed, 35 insertions(+), 34 deletions(-)

--- a/drivers/usb/serial/visor.c
+++ b/drivers/usb/serial/visor.c
@@ -338,47 +338,48 @@ static int palm_os_3_probe(struct usb_se
 		goto exit;
 	}
 
-	if (retval == sizeof(*connection_info)) {
-			connection_info = (struct visor_connection_info *)
-							transfer_buffer;
-
-		num_ports = le16_to_cpu(connection_info->num_ports);
-		for (i = 0; i < num_ports; ++i) {
-			switch (
-			   connection_info->connections[i].port_function_id) {
-			case VISOR_FUNCTION_GENERIC:
-				string = "Generic";
-				break;
-			case VISOR_FUNCTION_DEBUGGER:
-				string = "Debugger";
-				break;
-			case VISOR_FUNCTION_HOTSYNC:
-				string = "HotSync";
-				break;
-			case VISOR_FUNCTION_CONSOLE:
-				string = "Console";
-				break;
-			case VISOR_FUNCTION_REMOTE_FILE_SYS:
-				string = "Remote File System";
-				break;
-			default:
-				string = "unknown";
-				break;
-			}
-			dev_info(dev, "%s: port %d, is for %s use\n",
-				serial->type->description,
-				connection_info->connections[i].port, string);
-		}
+	if (retval != sizeof(*connection_info)) {
+		dev_err(dev, "Invalid connection information received from device\n");
+		retval = -ENODEV;
+		goto exit;
 	}
-	/*
-	* Handle devices that report invalid stuff here.
-	*/
+
+	connection_info = (struct visor_connection_info *)transfer_buffer;
+
+	num_ports = le16_to_cpu(connection_info->num_ports);
+
+	/* Handle devices that report invalid stuff here. */
 	if (num_ports == 0 || num_ports > 2) {
 		dev_warn(dev, "%s: No valid connect info available\n",
 			serial->type->description);
 		num_ports = 2;
 	}
 
+	for (i = 0; i < num_ports; ++i) {
+		switch (connection_info->connections[i].port_function_id) {
+		case VISOR_FUNCTION_GENERIC:
+			string = "Generic";
+			break;
+		case VISOR_FUNCTION_DEBUGGER:
+			string = "Debugger";
+			break;
+		case VISOR_FUNCTION_HOTSYNC:
+			string = "HotSync";
+			break;
+		case VISOR_FUNCTION_CONSOLE:
+			string = "Console";
+			break;
+		case VISOR_FUNCTION_REMOTE_FILE_SYS:
+			string = "Remote File System";
+			break;
+		default:
+			string = "unknown";
+			break;
+		}
+		dev_info(dev, "%s: port %d, is for %s use\n",
+			serial->type->description,
+			connection_info->connections[i].port, string);
+	}
 	dev_info(dev, "%s: Number of ports: %d\n", serial->type->description,
 		num_ports);