From: Greg Kroah-Hartman Date: Mon, 24 Sep 2018 07:40:22 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.123~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f3949bb67be8b1bbb592d719be54958775b8ad21;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch --- diff --git a/queue-3.18/series b/queue-3.18/series index 2a9e8dd8b65..4e4a1105006 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -102,3 +102,4 @@ rtc-bq4802-add-error-handling-for-devm_ioremap.patch alsa-pcm-fix-snd_interval_refine-first-last-with-open-min-max.patch drm-panel-type-promotion-bug-in-s6e8aa0_read_mtp_id.patch ib-nes-fix-a-compiler-warning.patch +usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch diff --git a/queue-3.18/usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch b/queue-3.18/usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch new file mode 100644 index 00000000000..6418a1d1372 --- /dev/null +++ b/queue-3.18/usb-serial-ti_usb_3410_5052-fix-array-underflow-in-completion-handler.patch @@ -0,0 +1,38 @@ +From 5dfdd24eb3d39d815bc952ae98128e967c9bba49 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 21 Aug 2018 11:59:53 +0200 +Subject: USB: serial: ti_usb_3410_5052: fix array underflow in completion handler + +From: Johan Hovold + +commit 5dfdd24eb3d39d815bc952ae98128e967c9bba49 upstream. + +Similarly to a recently reported bug in io_ti, a malicious USB device +could set port_number to a negative value and we would underflow the +port array in the interrupt completion handler. + +As these devices only have one or two ports, fix this by making sure we +only consider the seventh bit when determining the port number (and +ignore bits 0xb0 which are typically set to 0x30). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/usb/serial/ti_usb_3410_5052.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/ti_usb_3410_5052.h ++++ b/drivers/usb/serial/ti_usb_3410_5052.h +@@ -223,7 +223,7 @@ struct ti_interrupt { + } __attribute__((packed)); + + /* Interrupt codes */ +-#define TI_GET_PORT_FROM_CODE(c) (((c) >> 4) - 3) ++#define TI_GET_PORT_FROM_CODE(c) (((c) >> 6) & 0x01) + #define TI_GET_FUNC_FROM_CODE(c) ((c) & 0x0f) + #define TI_CODE_HARDWARE_ERROR 0xFF + #define TI_CODE_DATA_ERROR 0x03