diff options
| author | Phong Tran | 2019-07-15 17:08:14 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman | 2019-08-04 09:30:53 +0200 |
| commit | f13ee5ae0b2f3c0e2e26287394de7c645d0d8d7d (patch) | |
| tree | 3ccc9725c2c01ef4d719b1776d61af48565ce172 /drivers/isdn | |
| parent | binder: fix possible UAF when freeing buffer (diff) | |
| download | kernel-qcow2-linux-f13ee5ae0b2f3c0e2e26287394de7c645d0d8d7d.tar.gz kernel-qcow2-linux-f13ee5ae0b2f3c0e2e26287394de7c645d0d8d7d.tar.xz kernel-qcow2-linux-f13ee5ae0b2f3c0e2e26287394de7c645d0d8d7d.zip | |
ISDN: hfcsusb: checking idx of ep configuration
commit f384e62a82ba5d85408405fdd6aeff89354deaa9 upstream.
The syzbot test with random endpoint address which made the idx is
overflow in the table of endpoint configuations.
this adds the checking for fixing the error report from
syzbot
KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
The patch tested by syzbot [2]
Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com
[1]:
https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
[2]:
https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
Signed-off-by: Phong Tran <tranmanphong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/isdn')
| -rw-r--r-- | drivers/isdn/hardware/mISDN/hfcsusb.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c index 6d05946b445e..060dc7fd66c1 100644 --- a/drivers/isdn/hardware/mISDN/hfcsusb.c +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c @@ -1967,6 +1967,9 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) /* get endpoint base */ idx = ((ep_addr & 0x7f) - 1) * 2; + if (idx > 15) + return -EIO; + if (ep_addr & 0x80) idx++; attr = ep->desc.bmAttributes; |