Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4466420ybz; Tue, 28 Apr 2020 11:46:30 -0700 (PDT) X-Google-Smtp-Source: APiQypLLkdEfnqwB9dq7Jc335KfiJG0sRkAsT8+CqoGkP5/ovwyh9Vm6ggJYB6Ya/gjjkuSZ0O+p X-Received: by 2002:a50:de02:: with SMTP id z2mr22074468edk.292.1588099590661; Tue, 28 Apr 2020 11:46:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588099590; cv=none; d=google.com; s=arc-20160816; b=vcOX/MLuIGE0SljMBzNZMjrQcgMaXR8mmDp4gqz56rJneZHy9T8wHMvIHiZlJeOwJv cjFvqHv5RZvw7qP/4IA6lDD0jtXCFOZZrIuAFOMGy5cfYNNYIH2kA9cazQIZheymyI1A RC4Qs/dmxecJCBACuq1ZdzXuXjUBG1dKbBwvj6/vdyeH+Dm6Xu9fVdikIpOFaDd4Ahpv SJ/IDugb2ahpse6k9R6+0XtO+OFZOkzbLyGLJe9YxHacT705P/jyJrWzXeBtfv8oHsJA LR45NrUzBs4106WcPYBak4UPco4qSYe7111v4hEHxIZKHwTXChp4/vpR5Kaj+fccKX46 yD6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=J7KyW6MBEglV8O9x2o3UPIQf9JY2nAXeDZlEVvrZzZc=; b=pGfPOzkXUHkihHThRMHotVghc3PnUT6N5M3nxdQ/UndKCD481eKQFqk7BX7lt4hwnC u5LPCe5B2geG8IqDV/94WCVDyUNBPZYTaucFF7J0eg84GscTWvR/aBsuQmNJrYq8xvVg xLrIU3belrI21fpqvXvuQdc8WBZfKoWBddnajWm2WMshWuwsv8EJDQwnlCsRRXpdDsvu 6qBhxLZuo9b3yEj7mXr9rFgZcw+lXGA6fBEPy74y5m+avk7TPjQFvoyDrY3JIj7mCJcf 6FRmRw55JIBsOz5B3mP4ICELcwjBfsdEZLwGJdSJa8tRudsCA5svw3yPIIv5pbYZRQr2 AD/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bO3Cx0UA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v29si2375989eda.533.2020.04.28.11.46.06; Tue, 28 Apr 2020 11:46:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bO3Cx0UA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731154AbgD1Smt (ORCPT + 99 others); Tue, 28 Apr 2020 14:42:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:34956 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731147AbgD1Smq (ORCPT ); Tue, 28 Apr 2020 14:42:46 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1464E20575; Tue, 28 Apr 2020 18:42:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588099366; bh=3+ofRS7RE8FekExK6l1Hstl3mc2F4usOKMv2qO5BNHQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bO3Cx0UAFnqyAxRz/zN+8C62fwNItTocxNoHmhFYJh3zZAyIBUI+MpT/xTYhTuKHq 6hw4Q+kyh2cWvAP48Dibr4bFlIi19Syg2Jl7pisLh6ZDZRQiWI/8/1h3EgSisKFJ31 XffWmNplSlsm7dSG3MV4UgTcF0Q4p7i1Uu8aOspI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jiri Slaby Subject: [PATCH 5.4 121/168] tty: rocket, avoid OOB access Date: Tue, 28 Apr 2020 20:24:55 +0200 Message-Id: <20200428182247.748810829@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200428182231.704304409@linuxfoundation.org> References: <20200428182231.704304409@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Slaby commit 7127d24372bf23675a36edc64d092dc7fd92ebe8 upstream. init_r_port can access pc104 array out of bounds. pc104 is a 2D array defined to have 4 members. Each member has 8 submembers. * we can have more than 4 (PCI) boards, i.e. [board] can be OOB * line is not modulo-ed by anything, so the first line on the second board can be 4, on the 3rd 12 or alike (depending on previously registered boards). It's zero only on the first line of the first board. So even [line] can be OOB, quite soon (with the 2nd registered board already). This code is broken for ages, so just avoid the OOB accesses and don't try to fix it as we would need to find out the correct line number. Use the default: RS232, if we are out. Generally, if anyone needs to set the interface types, a module parameter is past the last thing that should be used for this purpose. The parameters' description says it's for ISA cards anyway. Signed-off-by: Jiri Slaby Cc: stable Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Link: https://lore.kernel.org/r/20200417105959.15201-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- drivers/tty/rocket.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) --- a/drivers/tty/rocket.c +++ b/drivers/tty/rocket.c @@ -632,18 +632,21 @@ init_r_port(int board, int aiop, int cha tty_port_init(&info->port); info->port.ops = &rocket_port_ops; info->flags &= ~ROCKET_MODE_MASK; - switch (pc104[board][line]) { - case 422: - info->flags |= ROCKET_MODE_RS422; - break; - case 485: - info->flags |= ROCKET_MODE_RS485; - break; - case 232: - default: + if (board < ARRAY_SIZE(pc104) && line < ARRAY_SIZE(pc104_1)) + switch (pc104[board][line]) { + case 422: + info->flags |= ROCKET_MODE_RS422; + break; + case 485: + info->flags |= ROCKET_MODE_RS485; + break; + case 232: + default: + info->flags |= ROCKET_MODE_RS232; + break; + } + else info->flags |= ROCKET_MODE_RS232; - break; - } info->intmask = RXF_TRIG | TXFIFO_MT | SRC_INT | DELTA_CD | DELTA_CTS | DELTA_DSR; if (sInitChan(ctlp, &info->channel, aiop, chan) == 0) {