4.4-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 24 Sep 2018 07:39:07 +0000 (09:39 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 24 Sep 2018 07:39:07 +0000 (09:39 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 24 Sep 2018 07:39:07 +0000 (09:39 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 24 Sep 2018 07:39:07 +0000 (09:39 +0200)
diff --git a/queue-4.4/series b/queue-4.4/series

index a50e12693748989eecb094e84d3b5fc272692e8e..6cb0421d788bbce611fc2b3488d62d80d31459ad 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -63,3 +63,4 @@ selftest-timers-tweak-raw_skew-to-skip-when-adj_offset-other-clock-adjustments-a
  drm-panel-type-promotion-bug-in-s6e8aa0_read_mtp_id.patch
  ib-nes-fix-a-compiler-warning.patch
  pinctrl-qcom-spmi-gpio-fix-pmic_gpio_config_get-to-be-compliant.patch
+usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch
diff --git a/queue-4.4/usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch b/queue-4.4/usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch

new file mode 100644 (file)

index 0000000..724fbb8
--- /dev/null
+++ b/queue-4.4/usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch
@@ -0,0 +1,38 @@
+From 5dfdd24eb3d39d815bc952ae98128e967c9bba49 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Aug 2018 11:59:53 +0200
+Subject: USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5dfdd24eb3d39d815bc952ae98128e967c9bba49 upstream.
+
+Similarly to a recently reported bug in io_ti, a malicious USB device
+could set port_number to a negative value and we would underflow the
+port array in the interrupt completion handler.
+
+As these devices only have one or two ports, fix this by making sure we
+only consider the seventh bit when determining the port number (and
+ignore bits 0xb0 which are typically set to 0x30).
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/usb/serial/ti_usb_3410_5052.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/ti_usb_3410_5052.h
++++ b/drivers/usb/serial/ti_usb_3410_5052.h
+@@ -227,7 +227,7 @@ struct ti_interrupt {
+ } __attribute__((packed));
+ 
+ /* Interrupt codes */
+-#define TI_GET_PORT_FROM_CODE(c)      (((c) >> 4) - 3)
++#define TI_GET_PORT_FROM_CODE(c)      (((c) >> 6) & 0x01)
+ #define TI_GET_FUNC_FROM_CODE(c)      ((c) & 0x0f)
+ #define TI_CODE_HARDWARE_ERROR                0xFF
+ #define TI_CODE_DATA_ERROR            0x03
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 24 Sep 2018 07:39:07 +0000 (09:39 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 24 Sep 2018 07:39:07 +0000 (09:39 +0200)
queue-4.4/series		patch \| blob \| blame \| history
queue-4.4/usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch	[new file with mode: 0644]	patch \| blob