releases/4.16.8/usb-serial-visor-handle-potential-invalid-device-configuration.patch

   1 From 4842ed5bfcb9daf6660537d70503c18d38dbdbb8 Mon Sep 17 00:00:00 2001
   2 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
   3 Date: Sun, 29 Apr 2018 17:41:55 +0200
   4 Subject: USB: serial: visor: handle potential invalid device configuration
   5
   6 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
   7
   8 commit 4842ed5bfcb9daf6660537d70503c18d38dbdbb8 upstream.
   9
  10 If we get an invalid device configuration from a palm 3 type device, we
  11 might incorrectly parse things, and we have the potential to crash in
  12 "interesting" ways.
  13
  14 Fix this up by verifying the size of the configuration passed to us by
  15 the device, and only if it is correct, will we handle it.
  16
  17 Note that this also fixes an information leak of slab data.
  18
  19 Reported-by: Andrey Konovalov <andreyknvl@google.com>
  20 Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
  21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22 [ johan: add comment about the info leak ]
  23 Cc: stable <stable@vger.kernel.org>
  24 Signed-off-by: Johan Hovold <johan@kernel.org>
  25 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26
  27 ---
  28  drivers/usb/serial/visor.c |   69 ++++++++++++++++++++++-----------------------
  29  1 file changed, 35 insertions(+), 34 deletions(-)
  30
  31 --- a/drivers/usb/serial/visor.c
  32 +++ b/drivers/usb/serial/visor.c
  33 @@ -335,47 +335,48 @@ static int palm_os_3_probe(struct usb_se
  34                 goto exit;
  35         }
  36
  37 -       if (retval == sizeof(*connection_info)) {
  38 -                       connection_info = (struct visor_connection_info *)
  39 -                                                       transfer_buffer;
  40 -
  41 -               num_ports = le16_to_cpu(connection_info->num_ports);
  42 -               for (i = 0; i < num_ports; ++i) {
  43 -                       switch (
  44 -                          connection_info->connections[i].port_function_id) {
  45 -                       case VISOR_FUNCTION_GENERIC:
  46 -                               string = "Generic";
  47 -                               break;
  48 -                       case VISOR_FUNCTION_DEBUGGER:
  49 -                               string = "Debugger";
  50 -                               break;
  51 -                       case VISOR_FUNCTION_HOTSYNC:
  52 -                               string = "HotSync";
  53 -                               break;
  54 -                       case VISOR_FUNCTION_CONSOLE:
  55 -                               string = "Console";
  56 -                               break;
  57 -                       case VISOR_FUNCTION_REMOTE_FILE_SYS:
  58 -                               string = "Remote File System";
  59 -                               break;
  60 -                       default:
  61 -                               string = "unknown";
  62 -                               break;
  63 -                       }
  64 -                       dev_info(dev, "%s: port %d, is for %s use\n",
  65 -                               serial->type->description,
  66 -                               connection_info->connections[i].port, string);
  67 -               }
  68 +       if (retval != sizeof(*connection_info)) {
  69 +               dev_err(dev, "Invalid connection information received from device\n");
  70 +               retval = -ENODEV;
  71 +               goto exit;
  72         }
  73 -       /*
  74 -       * Handle devices that report invalid stuff here.
  75 -       */
  76 +
  77 +       connection_info = (struct visor_connection_info *)transfer_buffer;
  78 +
  79 +       num_ports = le16_to_cpu(connection_info->num_ports);
  80 +
  81 +       /* Handle devices that report invalid stuff here. */
  82         if (num_ports == 0 || num_ports > 2) {
  83                 dev_warn(dev, "%s: No valid connect info available\n",
  84                         serial->type->description);
  85                 num_ports = 2;
  86         }
  87
  88 +       for (i = 0; i < num_ports; ++i) {
  89 +               switch (connection_info->connections[i].port_function_id) {
  90 +               case VISOR_FUNCTION_GENERIC:
  91 +                       string = "Generic";
  92 +                       break;
  93 +               case VISOR_FUNCTION_DEBUGGER:
  94 +                       string = "Debugger";
  95 +                       break;
  96 +               case VISOR_FUNCTION_HOTSYNC:
  97 +                       string = "HotSync";
  98 +                       break;
  99 +               case VISOR_FUNCTION_CONSOLE:
 100 +                       string = "Console";
 101 +                       break;
 102 +               case VISOR_FUNCTION_REMOTE_FILE_SYS:
 103 +                       string = "Remote File System";
 104 +                       break;
 105 +               default:
 106 +                       string = "unknown";
 107 +                       break;
 108 +               }
 109 +               dev_info(dev, "%s: port %d, is for %s use\n",
 110 +                       serial->type->description,
 111 +                       connection_info->connections[i].port, string);
 112 +       }
 113         dev_info(dev, "%s: Number of ports: %d\n", serial->type->description,
 114                 num_ports);
 115