Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp431074yba; Wed, 15 May 2019 04:00:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqw5vTJ0EI3cQBm7TFJrZGYl/6zQENUVIAVSyiOzpNlyZL9jvdzGvuMUfXKFAatCdt4DozXK X-Received: by 2002:a17:902:9b83:: with SMTP id y3mr39799623plp.165.1557918054959; Wed, 15 May 2019 04:00:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557918054; cv=none; d=google.com; s=arc-20160816; b=yTS3JcEQRnivUmlrnH4+V83bHGmusrkyplBKvwD0CFXmdsY9TGE61QSz7ef7XmY4tS W6PONb0eOjbjbU8kluAz4xSX1AlWYAaBBCKuaI/pTvc2i8Ju479fW/NYtfqhOycybY7z QcsXnd/ahdH4zMm/sGYduXQpoh+0Jqvz1hOm9gjovd4aBt88GAP2zXOozgon4IpwPiVU 7I61rcWWXFqLuPAo7BFugf246/V/n37DfsvVW8GUmh4HF0J4senrJKKbSvJSE4fd8B1s AhnVtw+RP0xEbIxp+N9i5U1eyHDcDe+GdVa2lUr1SDvaquBFxLCHioYcDyZJGPfpGbBS 4gsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+MmPi0FEruehwWUx79qNdVIiRpgabLPXUSeRYobgR3o=; b=EPC2IdWFY80R8DmoRf2e4myWDrzG2feo7B2veky+aum8zeLUxAnTYecOzD1sFuTfaV pYw+Ugn6G5GTAMFGL0z1vazAlqkZ58+WpuB4TCtB0rHJ9oq0zn2VNT4hXiLtT9vVSV48 AED3SHco9xckdUfLF3usGtLozhkviTtEgoUZfLyQoNJTe2o4zmLzSmRP+Dcixm0qE/Bu MLk9fWJA/Pj/MjDEaxkyygv08aCIdx9PqBxOsc7Lf+jfGoRR5tmo1+r8kDfKF28gAUhx v2aBrlLj1J935Azcn+qGrvprbuRFCkZtJjfGDX/cIk0uuiyvPyUSeHjAPLUL0g72k7S+ lN3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QZUjIxJR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g3si1754547pfi.97.2019.05.15.04.00.38; Wed, 15 May 2019 04:00:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QZUjIxJR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727046AbfEOK7C (ORCPT + 99 others); Wed, 15 May 2019 06:59:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:55408 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727035AbfEOK7A (ORCPT ); Wed, 15 May 2019 06:59:00 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1A0F021473; Wed, 15 May 2019 10:58:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557917939; bh=42zUaAaH9kR/pOsbplX2AEbGuInHv/eCmvgX5punsP0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QZUjIxJRU6uSWiiAUENWdeOT/DnDervK+PmcKEVZ7KrGOaWfwvFqvbxUf7BUbzsdU 6iYP9CR+wO/vV78Wla4TOfjtnI8q+TOjwqsG4k/OdzrsvHkJWRkN+qB2u6VOjxSl9R oK/R8LAWS0cADWgHPocd3vp7R8aXscqVhFmUPSro= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , syzbot+d65f673b847a1a96cdba@syzkaller.appspotmail.com Subject: [PATCH 3.18 33/86] USB: w1 ds2490: Fix bug caused by improper use of altsetting array Date: Wed, 15 May 2019 12:55:10 +0200 Message-Id: <20190515090649.435966500@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090642.339346723@linuxfoundation.org> References: <20190515090642.339346723@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern commit c114944d7d67f24e71562fcfc18d550ab787e4d4 upstream. The syzkaller USB fuzzer spotted a slab-out-of-bounds bug in the ds2490 driver. This bug is caused by improper use of the altsetting array in the usb_interface structure (the array's entries are not always stored in numerical order), combined with a naive assumption that all interfaces probed by the driver will have the expected number of altsettings. The bug can be fixed by replacing references to the possibly non-existent intf->altsetting[alt] entry with the guaranteed-to-exist intf->cur_altsetting entry. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+d65f673b847a1a96cdba@syzkaller.appspotmail.com CC: Signed-off-by: Greg Kroah-Hartman --- drivers/w1/masters/ds2490.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/w1/masters/ds2490.c +++ b/drivers/w1/masters/ds2490.c @@ -1013,15 +1013,15 @@ static int ds_probe(struct usb_interface /* alternative 3, 1ms interrupt (greatly speeds search), 64 byte bulk */ alt = 3; err = usb_set_interface(dev->udev, - intf->altsetting[alt].desc.bInterfaceNumber, alt); + intf->cur_altsetting->desc.bInterfaceNumber, alt); if (err) { dev_err(&dev->udev->dev, "Failed to set alternative setting %d " "for %d interface: err=%d.\n", alt, - intf->altsetting[alt].desc.bInterfaceNumber, err); + intf->cur_altsetting->desc.bInterfaceNumber, err); goto err_out_clear; } - iface_desc = &intf->altsetting[alt]; + iface_desc = intf->cur_altsetting; if (iface_desc->desc.bNumEndpoints != NUM_EP-1) { pr_info("Num endpoints=%d. It is not DS9490R.\n", iface_desc->desc.bNumEndpoints);