From: Greg Kroah-Hartman Date: Mon, 24 Sep 2018 07:39:07 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.123~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dbff31351f54f18f0e6608589fedd17f381a2873;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch --- diff --git a/queue-4.4/series b/queue-4.4/series index a50e1269374..6cb0421d788 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -63,3 +63,4 @@ selftest-timers-tweak-raw_skew-to-skip-when-adj_offset-other-clock-adjustments-a drm-panel-type-promotion-bug-in-s6e8aa0_read_mtp_id.patch ib-nes-fix-a-compiler-warning.patch pinctrl-qcom-spmi-gpio-fix-pmic_gpio_config_get-to-be-compliant.patch +usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch diff --git a/queue-4.4/usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch b/queue-4.4/usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch new file mode 100644 index 00000000000..724fbb8591c --- /dev/null +++ b/queue-4.4/usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch @@ -0,0 +1,38 @@ +From 5dfdd24eb3d39d815bc952ae98128e967c9bba49 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 21 Aug 2018 11:59:53 +0200 +Subject: USB: serial: ti_usb_3410_5052: fix array underflow in completion handler + +From: Johan Hovold + +commit 5dfdd24eb3d39d815bc952ae98128e967c9bba49 upstream. + +Similarly to a recently reported bug in io_ti, a malicious USB device +could set port_number to a negative value and we would underflow the +port array in the interrupt completion handler. + +As these devices only have one or two ports, fix this by making sure we +only consider the seventh bit when determining the port number (and +ignore bits 0xb0 which are typically set to 0x30). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/usb/serial/ti_usb_3410_5052.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/ti_usb_3410_5052.h ++++ b/drivers/usb/serial/ti_usb_3410_5052.h +@@ -227,7 +227,7 @@ struct ti_interrupt { + } __attribute__((packed)); + + /* Interrupt codes */ +-#define TI_GET_PORT_FROM_CODE(c) (((c) >> 4) - 3) ++#define TI_GET_PORT_FROM_CODE(c) (((c) >> 6) & 0x01) + #define TI_GET_FUNC_FROM_CODE(c) ((c) & 0x0f) + #define TI_CODE_HARDWARE_ERROR 0xFF + #define TI_CODE_DATA_ERROR 0x03