queue-4.4/usb-w1-ds2490-fix-bug-caused-by-improper-use-of-altsetting-array.patch

   1 From c114944d7d67f24e71562fcfc18d550ab787e4d4 Mon Sep 17 00:00:00 2001
   2 From: Alan Stern <stern@rowland.harvard.edu>
   3 Date: Mon, 22 Apr 2019 11:16:04 -0400
   4 Subject: USB: w1 ds2490: Fix bug caused by improper use of altsetting array
   5
   6 From: Alan Stern <stern@rowland.harvard.edu>
   7
   8 commit c114944d7d67f24e71562fcfc18d550ab787e4d4 upstream.
   9
  10 The syzkaller USB fuzzer spotted a slab-out-of-bounds bug in the
  11 ds2490 driver.  This bug is caused by improper use of the altsetting
  12 array in the usb_interface structure (the array's entries are not
  13 always stored in numerical order), combined with a naive assumption
  14 that all interfaces probed by the driver will have the expected number
  15 of altsettings.
  16
  17 The bug can be fixed by replacing references to the possibly
  18 non-existent intf->altsetting[alt] entry with the guaranteed-to-exist
  19 intf->cur_altsetting entry.
  20
  21 Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
  22 Reported-and-tested-by: syzbot+d65f673b847a1a96cdba@syzkaller.appspotmail.com
  23 CC: <stable@vger.kernel.org>
  24 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25
  26 ---
  27  drivers/w1/masters/ds2490.c |    6 +++---
  28  1 file changed, 3 insertions(+), 3 deletions(-)
  29
  30 --- a/drivers/w1/masters/ds2490.c
  31 +++ b/drivers/w1/masters/ds2490.c
  32 @@ -1039,15 +1039,15 @@ static int ds_probe(struct usb_interface
  33         /* alternative 3, 1ms interrupt (greatly speeds search), 64 byte bulk */
  34         alt = 3;
  35         err = usb_set_interface(dev->udev,
  36 -               intf->altsetting[alt].desc.bInterfaceNumber, alt);
  37 +               intf->cur_altsetting->desc.bInterfaceNumber, alt);
  38         if (err) {
  39                 dev_err(&dev->udev->dev, "Failed to set alternative setting %d "
  40                         "for %d interface: err=%d.\n", alt,
  41 -                       intf->altsetting[alt].desc.bInterfaceNumber, err);
  42 +                       intf->cur_altsetting->desc.bInterfaceNumber, err);
  43                 goto err_out_clear;
  44         }
  45
  46 -       iface_desc = &intf->altsetting[alt];
  47 +       iface_desc = intf->cur_altsetting;
  48         if (iface_desc->desc.bNumEndpoints != NUM_EP-1) {
  49                 pr_info("Num endpoints=%d. It is not DS9490R.\n",
  50                         iface_desc->desc.bNumEndpoints);