Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1243104ybi;
        Fri, 2 Aug 2019 11:50:34 -0700 (PDT)
X-Google-Smtp-Source: APXvYqw2NWgjxWDazqFueoR1WkOjwpCS2YzAy8KWmSxWgD/nEDPZbBNsEbdI1Kd8/RawhCTlE+vZ
X-Received: by 2002:a65:6288:: with SMTP id f8mr119376358pgv.292.1564771834061;
        Fri, 02 Aug 2019 11:50:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564771834; cv=none;
        d=google.com; s=arc-20160816;
        b=l3trVrchL0Y0suxYXMv4W4DZSafPE1keMzsF4BkNb8ZDfAC20QcWWPjHKvWFwsrMLI
         HeIRqg9qfP9cBqbCZzTxYv7sm/1dEcg69Vb5LuhactBLEA9KeCo9f2PkKEzwvUA/MmxI
         abay+HdgmDpYm6D0E/CqStqru2j439s5+WN7XGykKkZqSBv6ntNOJsFCk0q3iW9zq5cF
         w/pAa38lxIhDUdMvPkIPjN3KRcBoaFTXSIzyKyYy1bPmBd1lPSsYoL+pMEsjHW7uhD5r
         ffcPIoJWbWxSuCL0KmVr8VzB0Sh+JfcSqjrDD36Kor9wvj5FK84mRXKSg1TrBbGW4V8U
         IYlA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=eN342ITNaHGOztW3VVUHkvlPnPqNQoLEAA06oZylPY8=;
        b=tpYp+fs+MlAjnZ41Bs4P3VdsTJR2IRLx8Uy3eTnjbrT9RN+4p6O6JTFEYg1A1Qqiqm
         +0xOmbSyZLLJZkeGASuPn0E6YqjfSOLzUhPACKv3aYNNJJe/XotLRW43ul7Hgslz53ul
         dXZNh04VO9P7HPgsGmVzK0nUu87GafOwck9sLaHjWVkMHHeajOQc4NMjrzI2TKzvOcpm
         /48XQw1VCp8qqTYMNAOEC/GvTNl+yMMPbjF/lSkchVaAnfy1VicEc4oYVoQsb+oSaG61
         2jrJNlQpX9iVUTX6Gmaum0eEgiDBZ0zN/1IDu7GaGPoSI//95mqAggCYWLeOGAMAnoIn
         iBhQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=HTafo1vx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q23si6877486pjp.63.2019.08.02.11.50.18;
        Fri, 02 Aug 2019 11:50:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=HTafo1vx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2406211AbfHBJx1 (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Fri, 2 Aug 2019 05:53:27 -0400
Received: from mail.kernel.org ([198.145.29.99]:59568 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2406272AbfHBJx0 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Aug 2019 05:53:26 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 47DC82086A;
        Fri,  2 Aug 2019 09:53:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1564739605;
        bh=Cd2/CtlMzi0MVSdMVDg8CkFE200fT4o/RHRtNoAlWUo=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=HTafo1vxJVSJ8G+VRYH3eQ9LxYLXLvP7sIeau/4c8+rOIL4odhwAvpkHw7+s/++5W
         sQasFTauuHSx6y/bavlWGwZYAMzhJ75ricHtCxQbkXviDGMhBShIVJ/hBaV2pcrt4e
         GBXyDhpplBptm+ecY81QjReP0IePhOZ9z69vZH2c=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com,
        Phong Tran <tranmanphong@gmail.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 216/223] ISDN: hfcsusb: checking idx of ep configuration
Date:   Fri,  2 Aug 2019 11:37:21 +0200
Message-Id: <20190802092250.722969575@linuxfoundation.org>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190802092238.692035242@linuxfoundation.org>
References: <20190802092238.692035242@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Phong Tran <tranmanphong@gmail.com>

commit f384e62a82ba5d85408405fdd6aeff89354deaa9 upstream.

The syzbot test with random endpoint address which made the idx is
overflow in the table of endpoint configuations.

this adds the checking for fixing the error report from
syzbot

KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
The patch tested by syzbot [2]

Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com

[1]:
https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
[2]:
https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ

Signed-off-by: Phong Tran <tranmanphong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/isdn/hardware/mISDN/hfcsusb.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1963,6 +1963,9 @@ hfcsusb_probe(struct usb_interface *intf
 
 				/* get endpoint base */
 				idx = ((ep_addr & 0x7f) - 1) * 2;
+				if (idx > 15)
+					return -EIO;
+
 				if (ep_addr & 0x80)
 					idx++;
 				attr = ep->desc.bmAttributes;