From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935020AbdC3UPm (ORCPT ); Thu, 30 Mar 2017 16:15:42 -0400 Received: from mout.gmx.net ([212.227.15.15]:54855 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934790AbdC3UPg (ORCPT ); Thu, 30 Mar 2017 16:15:36 -0400 From: Tobias Herzog To: oneukum@suse.com Cc: gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v3 1/4] cdc-acm: fix possible invalid access when processing notification Date: Thu, 30 Mar 2017 22:15:10 +0200 Message-Id: <1490904913-3222-2-git-send-email-t-herzog@gmx.de> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1490904913-3222-1-git-send-email-t-herzog@gmx.de> References: <1479118868.21146.4.camel@suse.com> <1490904913-3222-1-git-send-email-t-herzog@gmx.de> X-Provags-ID: V03:K0:dBbKIrThVV/AthdcLzTnNPfTKHJU+7or/aOz9zIVs9UflHVt0x2 WzIIBJ9XPcsBnsSQmBlM72emQstNh1PdH3ljYT/bt1ixLinMu0jrDqE2V0hxEOjg+lREdyk dZMy271h5ZYEdiB44eEpMTtRipvYv4fAqExU+rxamyxdYxdrJEp2DiKp/yEQMY7p9xUhdsq 8y4tMUQdycSMIx7PE63EQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:oXOjwKJM8Gs=:OLoAV82Hc/d67DIHq+D8/X TEIMBgetewsLrI1h4syyXCXbQ3KN4kLIlaupqthc2xl6nzPLcygkF3xQrgzze7mATVEa37Zng jI+SnqH5kU/gY1fQiRu8UeIz7jnq4EmnvGGSQbnAH8H9S2os9ZjScAsA3COi4o1jyLqfUxti6 JUZ7KUvmPQ9TN3bZ+LhEAFSc8iph4K5ciHPPtm9ALjruUdtz7qdofxuXFaeQLuKgOv5jtf5Zt gbKpp1IlNKe/Ry/WqcCCZORmynGRZBj15TpLqeR/ig/Vkt+ebW+izN/CCA2PrOOfy5DXrhyFd kUemilFvFubRa7z+6DwWEKDCJsNtmxyG4iEqmeRUd5hqu/foNJT57PsVI4C4EOTfuz9b4sVpH Wa4qqj+5gHgoCDFZSe/Xqa65YVrVrE7Jv7UwszfNp5/G62jv3oIq1GuzX1StXt0Kbf/GjAVym k6fL1tdjBLXP63ONjPD1dq9SwtIf9rpRxAiIp5pN+VnlV3NQFO/XvqqkIaTCUgQe/5RngiGiN UXNaC26R8lFuVkGVcZ4tQROr/6eaN2IiZ6j75kAnYNJlsv6+ZnE1AhHxRrK6LUQ2XTR/xlNyD 8GSph4/vgTK1j6pxK+eSF/1mgR7xDcChUp8XqOQDCrbFbt2j1E4W+S2V6hw5ztlM4nA9SOrpE clzrntwyLRgORIcJIWFAWKv+EaowrLQLmWEVOo5ssoDdawNQhEwWzwOdsMtpts1jI8HHSCVR3 XKNq2hBRM6Q2ThmAVk/XYScCaV9mqbnaj/YB2B/oJOzwqPohO906sAwUqy4= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Notifications may only be 8 bytes long. Accessing the 9th and 10th byte of unimplemented/unknown notifications may be insecure. Also check the length of known notifications before accessing anything behind the 8th byte. Signed-off-by: Tobias Herzog --- drivers/usb/class/cdc-acm.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c index e35b150..f554e2f 100644 --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -322,6 +322,12 @@ static void acm_ctrl_irq(struct urb *urb) break; case USB_CDC_NOTIFY_SERIAL_STATE: + if (le16_to_cpu(dr->wLength) != 2) { + dev_dbg(&acm->control->dev, + "%s - malformed serial state\n", __func__); + break; + } + newctrl = get_unaligned_le16(data); if (!acm->clocal && (acm->ctrlin & ~newctrl & ACM_CTRL_DCD)) { @@ -358,11 +364,10 @@ static void acm_ctrl_irq(struct urb *urb) default: dev_dbg(&acm->control->dev, - "%s - unknown notification %d received: index %d " - "len %d data0 %d data1 %d\n", + "%s - unknown notification %d received: index %d len %d\n", __func__, - dr->bNotificationType, dr->wIndex, - dr->wLength, data[0], data[1]); + dr->bNotificationType, dr->wIndex, dr->wLength); + break; } exit: -- 2.1.4