renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-18 10:13:57 +08:00
Code

USB: serial: visor: handle potential invalid device configuration

Browse Source 
If we get an invalid device configuration from a palm 3 type device, we
might incorrectly parse things, and we have the potential to crash in
"interesting" ways.

Fix this up by verifying the size of the configuration passed to us by
the device, and only if it is correct, will we handle it.

Note that this also fixes an information leak of slab data.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ johan: add comment about the info leak ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
This commit is contained in:
Greg Kroah-Hartman 2018-04-29 17:41:55 +02:00 committed by Johan Hovold
parent 4205cb01f6
commit 4842ed5bfc
1 changed files with 35 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
drivers/usb/serial/visor.c
View File

@ -335,14 +335,25 @@ static int palm_os_3_probe(struct usb_serial *serial,
goto exit;
}
if (retval == sizeof(*connection_info)) {
connection_info = (struct visor_connection_info *)
transfer_buffer;
if (retval != sizeof(*connection_info)) {
dev_err(dev, "Invalid connection information received from device\n");
retval = -ENODEV;
goto exit;
}
connection_info = (struct visor_connection_info *)transfer_buffer;
num_ports = le16_to_cpu(connection_info->num_ports);
/* Handle devices that report invalid stuff here. */
if (num_ports == 0 || num_ports > 2) {
dev_warn(dev, "%s: No valid connect info available\n",
serial->type->description);
num_ports = 2;
}
for (i = 0; i < num_ports; ++i) {
switch (
connection_info->connections[i].port_function_id) {
switch (connection_info->connections[i].port_function_id) {
case VISOR_FUNCTION_GENERIC:
string = "Generic";
break;
@ -366,16 +377,6 @@ static int palm_os_3_probe(struct usb_serial *serial,
serial->type->description,
connection_info->connections[i].port, string);
}
}
/*
* Handle devices that report invalid stuff here.
*/
if (num_ports == 0 || num_ports > 2) {
dev_warn(dev, "%s: No valid connect info available\n",
serial->type->description);
num_ports = 2;
}
dev_info(dev, "%s: Number of ports: %d\n", serial->type->description,
num_ports);