Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp358625ybb; Wed, 25 Mar 2020 00:53:16 -0700 (PDT) X-Google-Smtp-Source: ADFU+vssuEmpcgCeK7aQ9C8WOM2rfGq6k0iieqxSvsSbx8Ky1Ens7fru2SRTfKh0ey6RH59q23yW X-Received: by 2002:a05:6830:2411:: with SMTP id j17mr1473308ots.257.1585122796142; Wed, 25 Mar 2020 00:53:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585122796; cv=none; d=google.com; s=arc-20160816; b=FwP22XGGOEkQctutnuUlH5DceiVRL+RmFT6QLmYJp66uts4HODTIhF8FZX5HYlKH5w 91WlCR+OjtOTaLRIXkl7odeJQ7tE4x19jH6PsGY7DWkYPl/ZN9h0D8y5P0fRDST7uI08 Q42Sow06c3nfCQI2k8PCv8LEWJhseorEUgFG4n3ZDmQ1DzzLPzJwtMsZlcY/NPqkG40v ke2HJEIH7BBOs7a5mROaTsVUop4JzjWGsfgIj8N/W+Owp3zbg/6x+p6Ro5k8O3XgFtvZ hJphVV12y5nNSvdAzQUaoKvu0XCY/5acU2/3Kdb4a+d8tFI4NRfDg9ZxN2mrBiWzHwtQ P8Ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=OyMSybDgjLtBHyJeIkj6VwbC+46L2Aw6n03o91VqgKc=; b=A4Z0gXEkqaoyPBf+8cMr5Z6hpk5LQZJQx7xuHE2CaPB78kfay2EQeKzR8xKPFVyCx5 AaOEVeLWJS3GQ3FsBZ4BnqSoTVK9FmuO54JOJtXg7zMAFryJR9OTutWU/msseWofZGNN cm+wuKatQb0ZszVQwuKBYiQ0AsWWjV0dxNdUR/SX3Hbtk94zYVP77IG9aIIsBF9gqusy UMfVO2gSDnCGYN41B5oKLbFo62lfZ0tT/TGXW/DrCuQls/8PtOTKao8tYq1DB74AB/o1 IHavcIeMaORCw4uoFoX3SUQMbHbrFsLxZHnZMXKcnUHFUW7iIbhhnETgJdkCDxHAwmeY H1qQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=nDoDTTiZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y3si4277490otq.204.2020.03.25.00.53.03; Wed, 25 Mar 2020 00:53:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=nDoDTTiZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726842AbgCYHwm (ORCPT + 99 others); Wed, 25 Mar 2020 03:52:42 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:45510 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726017AbgCYHwm (ORCPT ); Wed, 25 Mar 2020 03:52:42 -0400 Received: by mail-pl1-f195.google.com with SMTP id b9so485940pls.12; Wed, 25 Mar 2020 00:52:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=OyMSybDgjLtBHyJeIkj6VwbC+46L2Aw6n03o91VqgKc=; b=nDoDTTiZHzzvB2jsefFabUvkfery3Bpl/g896+EwqGpDCT7TNqR+Q2Z0BzX6L5vYAM +InqIY1XHQwQZ1/FcisFl9Y8B5CR6BYVZY9n+Z+SwdBhbV9onGUnbQKVR4aIwLuzAv2N pt0Ake4CWdDmNbDqTROYP61jfMc4XuipXIgu/EcDnItlPET8j5LZG+rWtrPY74VXplMV cIFZM2MH8wy6hcUxrY8+1fxM9EWY2tBwR9rnY1QBoNXWiLEZWi8ddHcSxEfDV1ZDVCk+ yMDwvOKjz4LRS93sphkoQYIihVQ7WwP9EevTJSZnZYIrm2QbD/bA6ReivYNxZnuQ4F9E h8Ew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=OyMSybDgjLtBHyJeIkj6VwbC+46L2Aw6n03o91VqgKc=; b=euvAYWUFadfIcI+Wqy5ToxsWlGvEarK8e9WaDm/ygiEsxUSBmcLRhJgplLghB4O9OQ 0f6g9q6V6TiwML9IjTTQdcAPBRLDIsLSUFbSLOiIqoPzG26ubGz29G8VCIneAtBpQAOQ kSitu3XDvqQuUQQz2f1EomBcQcJiXnxDF952PGPyQLnsfT89bv+PI+EpbKa5N54wSTRv LRmx6yrvCHtd1xgp5jGxh/KZCY9OBf5eFm5KgcgDoWpPB++SIewRdFSXhexswu3NqNKJ +spoplIPS2qtcDdgCFbLJuMaEE67bMQEcL3SWNI0IrZamcCjOaa7x851K3Z7Q4zK5o4n aPTw== X-Gm-Message-State: ANhLgQ3sf/wW7qf6HdAFsHEx+I9E/WrlgaTA4wxZGEIvuK8lqVBNUi88 CzZimFVc+JlGRBulj9BW1CM= X-Received: by 2002:a17:90b:11d6:: with SMTP id gv22mr2357583pjb.31.1585122761049; Wed, 25 Mar 2020 00:52:41 -0700 (PDT) Received: from VM_0_35_centos.localdomain ([150.109.62.251]) by smtp.gmail.com with ESMTPSA id ev21sm3994786pjb.24.2020.03.25.00.52.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Mar 2020 00:52:40 -0700 (PDT) From: Qiujun Huang To: johan@kernel.org, gregkh@linuxfoundation.org Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, anenbupt@gmail.com, Qiujun Huang Subject: [PATCH] USB: io_edgeport: fix slab-out-of-bounds Read in edge_interrupt_callback Date: Wed, 25 Mar 2020 15:52:37 +0800 Message-Id: <1585122757-4528-1-git-send-email-hqjagain@gmail.com> X-Mailer: git-send-email 1.8.3.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The boundary condition should be (length - 1) as we access data[position+1]. Reported-and-tested-by: syzbot+37ba33391ad5f3935bbd@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang --- drivers/usb/serial/io_edgeport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 5737add..4cca0b8 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -710,7 +710,7 @@ static void edge_interrupt_callback(struct urb *urb) /* grab the txcredits for the ports if available */ position = 2; portNumber = 0; - while ((position < length) && + while ((position < length - 1) && (portNumber < edge_serial->serial->num_ports)) { txCredits = data[position] | (data[position+1] << 8); if (txCredits) { -- 1.8.3.1