Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / acec9b4dadd3d93ae5dd380571c61f1a7c49baf9
commitacec9b4dadd3d93ae5dd380571c61f1a7c49baf9[log] [tgz]
authorHui Peng <benquike@gmail.com>Wed Dec 12 12:42:24 2018 +0100
committerchrmhoffmann <chrmhoffmann@gmail.com>Sun Apr 05 10:15:06 2020 +0200
treeed5bdae304e74331f30cab13011267d3394407d9
parent3feb3b069b79f4b4d095989b45d10b2546b073fc [diff]
USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data

commit 5146f95df782b0ac61abde36567e718692725c89 upstream.

The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data.

Add a length check for both locations and updated hso_probe to bail on
error.

This issue has been assigned CVE-2018-19985.

Change-Id: I592d0f50b24abe5b8d270fab303c9cb78fbd546f
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
1 file changed
tree: ed5bdae304e74331f30cab13011267d3394407d9
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. AndroidKernel.mk
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS