Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2990317imu; Sun, 9 Dec 2018 14:27:43 -0800 (PST) X-Google-Smtp-Source: AFSGD/VseFwKq1Jh5u2Ps8YfHwHxOutb2ogIxjYkvPCUUnP4Wem1u7ZPSDW7Qpu0lKgh29zzsz5x X-Received: by 2002:a63:6cc8:: with SMTP id h191mr8489019pgc.366.1544394463515; Sun, 09 Dec 2018 14:27:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544394463; cv=none; d=google.com; s=arc-20160816; b=ZvfxihCmGSgv6XeGV1ELAvPc/XQJViXsPOgcj+HUe7XiP7+X9THycW5lFviafrGZX8 n5DQ7W6mHm2rZlce0sD4GdEKkgGC5Cn3iGyWiRMvJ6IHHw2rbLYYC7CVRIsazdmnDVPC dRGR1qMbO0mb6nKweuFhIu9pkWMif0Or8VnBsU2g0pRp7o6BTBMaFbfJlsJvEQkq+tZx nr2Wx6UP2BISEQx3HcA5QH5tnLukxEJkpOsl6ZUvM+hMvPZmg+b7Kqum2Y2ByDOP6gxC +h9diSJjDx+ghQu3Z1TEI9NmEFNB+8RYSRqfwEulIgeKeBHmGZncTaKclgKOOlUy/NTy DFpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=WnDFUEQFX07J2GDi11X/Bo6E8zQ6p4XMBZ+n2nNY7mE=; b=P+KdxlSEQtX7wLdsqSFRipc1MypgisyGsm3gN6u3uIUg74mzyr7tkNT+zgKFbcEgx2 P2jpDKl3V1KgyEkizRXBBVFaTbFyBE/UJMCP2Fr46ym/XbgdeDzdUjoMmV08P8VsvRQa O9OwMGtHoWm2H2xF05GpZfQq01j6zuB8FJFdviU+sYR65j+vLpFn7OISTnczLkVbVrVp U4NigSBye8BzXIzzdE6y1KSR4kL6aQ4gIJeIKq52RZsxakTABiC/8310QCglizcaqNc8 mgoPYV4/xcB1ZLDfoDirT6yEmEDsL1vmHF5Yjef49OE1e7gNEYOiYstdKYCZthxioI2z jPug== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f81si9414978pfh.33.2018.12.09.14.27.28; Sun, 09 Dec 2018 14:27:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728705AbeLIWZA (ORCPT + 99 others); Sun, 9 Dec 2018 17:25:00 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34972 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726468AbeLIVzR (ORCPT ); Sun, 9 Dec 2018 16:55:17 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW72h-0002ij-B3; Sun, 09 Dec 2018 21:55:15 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72e-0003Rb-HF; Sun, 09 Dec 2018 21:55:12 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Dan Carpenter" , "Johan Hovold" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 166/328] USB: serial: io_ti: fix array underflow in completion handler In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Johan Hovold commit 691a03cfe8ca483f9c48153b869d354e4ae3abef upstream. As reported by Dan Carpenter, a malicious USB device could set port_number to a negative value and we would underflow the port array in the interrupt completion handler. As these devices only have one or two ports, fix this by making sure we only consider the seventh bit when determining the port number (and ignore bits 0xb0 which are typically set to 0x30). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Dan Carpenter Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings --- drivers/usb/serial/io_ti.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/serial/io_ti.h +++ b/drivers/usb/serial/io_ti.h @@ -178,7 +178,7 @@ struct ump_interrupt { } __attribute__((packed)); -#define TIUMP_GET_PORT_FROM_CODE(c) (((c) >> 4) - 3) +#define TIUMP_GET_PORT_FROM_CODE(c) (((c) >> 6) & 0x01) #define TIUMP_GET_FUNC_FROM_CODE(c) ((c) & 0x0f) #define TIUMP_INTERRUPT_CODE_LSR 0x03 #define TIUMP_INTERRUPT_CODE_MSR 0x04