Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp15099032rwd; Sun, 25 Jun 2023 10:06:34 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ48AOTS61tMG6RsQsnyCy/c4X7mGnSGilC4oSxzUs9cv28OtbTDIwQgLsSIAavguUP1GXzA X-Received: by 2002:a05:6a00:1a88:b0:66a:3b01:2360 with SMTP id e8-20020a056a001a8800b0066a3b012360mr11018215pfv.21.1687712794575; Sun, 25 Jun 2023 10:06:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687712794; cv=none; d=google.com; s=arc-20160816; b=CzSDZuVKbsYLSHe5UDP31VibrmI9Qo1dQ6vKRTb2ejQcyUUwLdxk9oekcQp9eyzaW0 1VmozgqhwqELRwWfbHKKwLptr7njaqyeJKzyN08HKqEeRVQ6Qj8PFnhFLVtO9SxX8Y+B 7mFR80rLCek/+Q+EUfJMscc+36ZecA3IkwLOCgV+i/TXD2sl3wV7OflzKuR4rJSWpe63 Aq63aY0NgZYaWHoKh3NkLFRbKK2fPpaAIoRRnFOzKWsOkCFWKIUAigtRE3aEvBD6YkPg PtWgmCk6+Uywts9y4lbbOuBGkRbIW10JgSSScyiMdUkVSHgyNQjB+RZh9dpwBpHqQarW oPfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version:date :subject:cc:to:from:message-id:dkim-signature; bh=ULx3wX+XMVeigercXBoqPiB3jqlbn7oDvMIMzYZ5TSs=; fh=Z6JnN20b47YD4wAza2JDKL7iSoOWS5ZGt9VdKNn6mXg=; b=dQLNq8yja/28IznD/aHEjqfl8Sjebu5f9JrCUY7ml8s9qjlhfRIk9eIEgDSv2IO1yn OFRqQkALKZLnwsV9uzIb2/iOPiiUoKjRH1CY9t6QCSDHq2yLJSXDgy3LCMLhy/fZiEbq nHCMmBa7G0tJbhdX+/tWIJtRWr7K5Kj/MI3SF8iAL0xNkSOoZ+FS3BVLtfK0t2yOFcxp bbsZXHyXlPJH9kUXgKzEYNVi8gg9uuDTOgFbqYIrfja3hWR3X3LNKc9wOU9lBkI4efLu JYqeGWpNSFXo7Ix9CbyeukELsUSfgz2mfHELHzCSFoidjoQCWqvk+QjanI4qBstNRJ9E 01RQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@foxmail.com header.s=s201512 header.b=CfMvs3gT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ds5-20020a056a004ac500b00668873710ddsi3140610pfb.315.2023.06.25.10.06.22; Sun, 25 Jun 2023 10:06:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@foxmail.com header.s=s201512 header.b=CfMvs3gT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229740AbjFYQvD (ORCPT + 99 others); Sun, 25 Jun 2023 12:51:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43680 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229558AbjFYQvA (ORCPT ); Sun, 25 Jun 2023 12:51:00 -0400 Received: from out162-62-57-210.mail.qq.com (out162-62-57-210.mail.qq.com [162.62.57.210]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 81C4AB7; Sun, 25 Jun 2023 09:50:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com; s=s201512; t=1687711854; bh=ULx3wX+XMVeigercXBoqPiB3jqlbn7oDvMIMzYZ5TSs=; h=From:To:Cc:Subject:Date; b=CfMvs3gT3j+jBSrb5D+jtbtPtE0EwU1kx3p/zd/OlN3Q4VGKNVTqbRo0QYtM8waIJ QJigxzIlDOKS9bUFOJe8H1O7PHQ1kaoCvd4EVeIV4FRlb1ZMMUwcQm5UOJpbKnmyOw TxUkmyDRUjtCcMa+DfJ+iMDdFCwtHpdKV0xi4GbE= Received: from localhost.localdomain ([122.14.229.236]) by newxmesmtplogicsvrsza10-0.qq.com (NewEsmtp) with SMTP id A9A2A055; Mon, 26 Jun 2023 00:42:26 +0800 X-QQ-mid: xmsmtpt1687711346tg34imyg9 Message-ID: X-QQ-XMAILINFO: NUoqT9CRNGLktLe03EA26suTrp/6WoKbh3uyq6gI6Laf3iYIlrsVt+j5hNNtSs fLYRD/A6zL8h6i2kOPpD0flQHcJ3x4+RjEmPTOqeGMR4MF7djfr9nTzfyy16d5sITFmOouzOuVdT m5BeNGvLZrTqLTl1rVfMjZQlIJ3YhzNLm/hDWbzLWirEJAIveTRSQy0tMVEDJV4hRdlT/KmZELnc jUGvGqyEN4+q8UUX3pGzFn35Atc+U/I2rFqq1D7h3sPX22e/BXi2FYQCanbwor0ESnL1dDs3s2fU ayeNk4h7cM2xEeeIC95x7cF+S7JX1+IF17gfEFDU+vBEvPi+IouiHT2jqI7rIhS5WNWohdVaqRzf MpyzRW11ay4nC6JvrHAr8p8YlaeeZGr+GxU8RtR2IwwneFejF/EtjnkmTjHTw3Ha/zUge7JnEgWd dPmrzqEBLjNti4CJsm0q2gxmupNN3jNSNJGzrok9k58vjttdeLLSZPkdeALLuvHauydujeeFI7Q6 QhIGoB/ZXKfkUBWLy9qfbbKelYm8DIVG/ZtS5iPZfMdbtXjEwIZZ744A9oC4nU2O9og2NxB97cqp addINjibYwepbHwcBsJu/xT1yGXlxb1MEoOtxlLIxVa9MkROjFySkhD3TJSesjfkXdImPOFTWJEr Fq4QJz5x3o11fsbccWPVBqijqjm15K3u7APd5YcvarTD+DMyTBkJ5k7J4qchCQW/OYr1XQinnMPQ wmL/NBImn52FIkeFzE5jtoa43dOOqo80IGAsSAEqRqpyNW2jEADsdWGMvJXy2ORocIIir2Qs9HxE GUeSacyIb7QdAgxh5DZHN18GsO9bId+GnsUEhQcARu5kinI8H7VsbAZlWuuOC3wi6njBJySUlnlM SpN8QltQpHNAa6hHOexNgHacdalcJE2prZkyN0TqE1e58hB+yfbT8i/daQdtA91xsSpSElfpE83g l9ZYvyMQ0swsLePKVdDDJpjZZeKG2o/NzG0mrGAD8nfy/HJsMUFx+lfwfomt+h8HgPQ4WT+I4= X-QQ-XMRINFO: M0RWTeBkoNRBR1Uh12iQNRvA1CSLhD8+1Q== From: Zhang Shurong To: jgross@suse.com Cc: gregkh@linuxfoundation.org, xen-devel@lists.xenproject.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Zhang Shurong Subject: [PATCH] xen: fix potential shift out-of-bounds in xenhcd_hub_control() Date: Mon, 26 Jun 2023 00:42:18 +0800 X-OQ-MSGID: <20230625164218.7134-1-zhang_shurong@foxmail.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, HELO_DYNAMIC_IPADDR,RCVD_IN_DNSWL_NONE,RDNS_DYNAMIC,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fix potential shift out-of-bounds in xenhcd_hub_control() ClearPortFeature handling and SetPortFeature handling. wValue may be greater than 32 which can not be used for shifting. similar patch: https://patchwork.kernel.org/patch/12162547 Signed-off-by: Zhang Shurong --- drivers/usb/host/xen-hcd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/host/xen-hcd.c b/drivers/usb/host/xen-hcd.c index 46fdab940092..c0e7207d3857 100644 --- a/drivers/usb/host/xen-hcd.c +++ b/drivers/usb/host/xen-hcd.c @@ -456,6 +456,8 @@ static int xenhcd_hub_control(struct usb_hcd *hcd, __u16 typeReq, __u16 wValue, info->ports[wIndex - 1].c_connection = false; fallthrough; default: + if (wValue >= 32) + goto error; info->ports[wIndex - 1].status &= ~(1 << wValue); break; } @@ -527,6 +529,8 @@ static int xenhcd_hub_control(struct usb_hcd *hcd, __u16 typeReq, __u16 wValue, xenhcd_rhport_suspend(info, wIndex); break; default: + if (wValue >= 32) + goto error; if (info->ports[wIndex-1].status & USB_PORT_STAT_POWER) info->ports[wIndex-1].status |= (1 << wValue); } -- 2.41.0