Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / b1507f458d22fe86334ebc53b8f26de74598c37a
commitb1507f458d22fe86334ebc53b8f26de74598c37a[log] [tgz]
authorJohan Hovold <johan@kernel.org>Tue Aug 21 11:59:52 2018 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Wed Sep 26 08:36:36 2018 +0200
tree68223613ef046f1e3182ac267fc053c0c2331f46
parent4236e40a9d4facd4b3e6c67ccc1e486d6254cf50 [diff]
USB: serial: io_ti: fix array underflow in completion handler

commit 691a03cfe8ca483f9c48153b869d354e4ae3abef upstream.

As reported by Dan Carpenter, a malicious USB device could set
port_number to a negative value and we would underflow the port array in
the interrupt completion handler.

As these devices only have one or two ports, fix this by making sure we
only consider the seventh bit when determining the port number (and
ignore bits 0xb0 which are typically set to 0x30).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: 68223613ef046f1e3182ac267fc053c0c2331f46
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS