| From: Johan Hovold <johan@kernel.org> |
| Date: Tue, 21 Aug 2018 11:59:52 +0200 |
| Subject: USB: serial: io_ti: fix array underflow in completion handler |
| |
| commit 691a03cfe8ca483f9c48153b869d354e4ae3abef upstream. |
| |
| As reported by Dan Carpenter, a malicious USB device could set |
| port_number to a negative value and we would underflow the port array in |
| the interrupt completion handler. |
| |
| As these devices only have one or two ports, fix this by making sure we |
| only consider the seventh bit when determining the port number (and |
| ignore bits 0xb0 which are typically set to 0x30). |
| |
| Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") |
| Reported-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/usb/serial/io_ti.h | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/usb/serial/io_ti.h |
| +++ b/drivers/usb/serial/io_ti.h |
| @@ -178,7 +178,7 @@ struct ump_interrupt { |
| } __attribute__((packed)); |
| |
| |
| -#define TIUMP_GET_PORT_FROM_CODE(c) (((c) >> 4) - 3) |
| +#define TIUMP_GET_PORT_FROM_CODE(c) (((c) >> 6) & 0x01) |
| #define TIUMP_GET_FUNC_FROM_CODE(c) ((c) & 0x0f) |
| #define TIUMP_INTERRUPT_CODE_LSR 0x03 |
| #define TIUMP_INTERRUPT_CODE_MSR 0x04 |
