Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp701877ybz; Fri, 1 May 2020 07:04:34 -0700 (PDT) X-Google-Smtp-Source: APiQypLcphihqw8Wm9QFKvZGWuXmh2rqjfWyYPx+VAJvyFR4ClpRiWg8wnkb3Wv4zSBlwGqnkIbc X-Received: by 2002:a05:6402:1adc:: with SMTP id ba28mr3726210edb.336.1588341874001; Fri, 01 May 2020 07:04:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588341873; cv=none; d=google.com; s=arc-20160816; b=UbMHX5r+ur+gKjZ3wCL5GraVBHqjlO7y+U3R3PaFSlRLzs2UURU/y4Xs7RfQu3PDhF LcLof6Ucea6cg1sUNJ5VUmcahsIekgxVRI92MWQlxjBdaEFYnGRbCGYeEhp9zMcBKbZ+ v46sd6uxCdNb37UvMBo4YZiAsFDMqAIjoOUOmQTFFaSWHhfy+rNebA3naxGU4iXwFabU a+pjlHzi9EIO7rb6FNtmSF8inSIC5jqMjsgfRoA3HHFpbIFeXnLk+6Ol9CuMqu0frNyT sNQjwfiTB3nM8lAmcb4M5cOPf28BrApca5RI2sQF6BC209CflwesWA5JFeeykugoHjEA /clg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=lxNP8eyvS0/faTjxvcmEqAZ0EM5+7xy1VJVl+TUipoE=; b=bwKKogo3TqVF/EEcboRQB3DUNBASYHVx2TWUg6AdNnXyt0odFnc8KtycBnaW4KYGRn qVZ3eMFY5Y6xB1/EFt/Ccr83pTXoEf+Qz/NsU1nlMIlr82bYZqjAqKBkZUJokvbW7ot1 FCwHgV2v4xRM3NgkXJnvNi1zgzXj8x4E8j+syVIFD8fAS80QWk1cLMD9ixfdfTdrvo11 P31FEc+7iYwfQMaZ6rBgNoXfexSzbO6TbVR+41umKmeNNooYPaHpedLZj+4clUbFW1fD 0IlM1r8fJ8MKILP+cjXJpRJTYhw/iEG2RcyD3xJQY0SD18ZzwbQF0jO92+A5LxFQQnWL 0uEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xhQIxx9j; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n18si1795109ejj.459.2020.05.01.07.03.59; Fri, 01 May 2020 07:04:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xhQIxx9j; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729319AbgEAN0o (ORCPT + 99 others); Fri, 1 May 2020 09:26:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:48528 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729306AbgEAN0l (ORCPT ); Fri, 1 May 2020 09:26:41 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5B15D20757; Fri, 1 May 2020 13:26:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588339600; bh=nhCt2Lm+GlbVDcPUrxjnDLRk9fDfQp0uSJp10Ax2z50=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xhQIxx9jaRMK4LJhyigIkPd7+NBUyIhvWQrDdWA+wfermqpWt3XRxCy0oXp+9eEAm JpK9ZzGRee3PnVGXfZFqcMKuciPK0Q7l8WDiVMMNSYdtGcDzRjjx/CJhRetuRpmF0V BGVyZxnWSUH4IUkoNy+UeCNTfXp95zATxTpHqJvo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jiri Slaby Subject: [PATCH 4.4 42/70] tty: rocket, avoid OOB access Date: Fri, 1 May 2020 15:21:30 +0200 Message-Id: <20200501131526.509105545@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200501131513.302599262@linuxfoundation.org> References: <20200501131513.302599262@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Slaby commit 7127d24372bf23675a36edc64d092dc7fd92ebe8 upstream. init_r_port can access pc104 array out of bounds. pc104 is a 2D array defined to have 4 members. Each member has 8 submembers. * we can have more than 4 (PCI) boards, i.e. [board] can be OOB * line is not modulo-ed by anything, so the first line on the second board can be 4, on the 3rd 12 or alike (depending on previously registered boards). It's zero only on the first line of the first board. So even [line] can be OOB, quite soon (with the 2nd registered board already). This code is broken for ages, so just avoid the OOB accesses and don't try to fix it as we would need to find out the correct line number. Use the default: RS232, if we are out. Generally, if anyone needs to set the interface types, a module parameter is past the last thing that should be used for this purpose. The parameters' description says it's for ISA cards anyway. Signed-off-by: Jiri Slaby Cc: stable Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Link: https://lore.kernel.org/r/20200417105959.15201-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- drivers/tty/rocket.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) --- a/drivers/tty/rocket.c +++ b/drivers/tty/rocket.c @@ -645,18 +645,21 @@ static void init_r_port(int board, int a info->port.ops = &rocket_port_ops; init_completion(&info->close_wait); info->flags &= ~ROCKET_MODE_MASK; - switch (pc104[board][line]) { - case 422: - info->flags |= ROCKET_MODE_RS422; - break; - case 485: - info->flags |= ROCKET_MODE_RS485; - break; - case 232: - default: + if (board < ARRAY_SIZE(pc104) && line < ARRAY_SIZE(pc104_1)) + switch (pc104[board][line]) { + case 422: + info->flags |= ROCKET_MODE_RS422; + break; + case 485: + info->flags |= ROCKET_MODE_RS485; + break; + case 232: + default: + info->flags |= ROCKET_MODE_RS232; + break; + } + else info->flags |= ROCKET_MODE_RS232; - break; - } info->intmask = RXF_TRIG | TXFIFO_MT | SRC_INT | DELTA_CD | DELTA_CTS | DELTA_DSR; if (sInitChan(ctlp, &info->channel, aiop, chan) == 0) {