* [PATCH] USB: io_edgeport: fix slab-out-of-bounds Read in edge_interrupt_callback @ 2020-03-25 7:52 Qiujun Huang 2020-03-26 8:14 ` Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Qiujun Huang @ 2020-03-25 7:52 UTC (permalink / raw) To: johan, gregkh; +Cc: linux-usb, linux-kernel, anenbupt, Qiujun Huang The boundary condition should be (length - 1) as we access data[position+1]. Reported-and-tested-by: syzbot+37ba33391ad5f3935bbd@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang <hqjagain@gmail.com> --- drivers/usb/serial/io_edgeport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 5737add..4cca0b8 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -710,7 +710,7 @@ static void edge_interrupt_callback(struct urb *urb) /* grab the txcredits for the ports if available */ position = 2; portNumber = 0; - while ((position < length) && + while ((position < length - 1) && (portNumber < edge_serial->serial->num_ports)) { txCredits = data[position] | (data[position+1] << 8); if (txCredits) { -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] USB: io_edgeport: fix slab-out-of-bounds Read in edge_interrupt_callback 2020-03-25 7:52 [PATCH] USB: io_edgeport: fix slab-out-of-bounds Read in edge_interrupt_callback Qiujun Huang @ 2020-03-26 8:14 ` Greg KH 2020-03-26 8:21 ` Johan Hovold 0 siblings, 1 reply; 5+ messages in thread From: Greg KH @ 2020-03-26 8:14 UTC (permalink / raw) To: Qiujun Huang; +Cc: johan, linux-usb, linux-kernel, anenbupt On Wed, Mar 25, 2020 at 03:52:37PM +0800, Qiujun Huang wrote: > The boundary condition should be (length - 1) as we access data[position+1]. > > Reported-and-tested-by: syzbot+37ba33391ad5f3935bbd@syzkaller.appspotmail.com > Signed-off-by: Qiujun Huang <hqjagain@gmail.com> > --- > drivers/usb/serial/io_edgeport.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c > index 5737add..4cca0b8 100644 > --- a/drivers/usb/serial/io_edgeport.c > +++ b/drivers/usb/serial/io_edgeport.c > @@ -710,7 +710,7 @@ static void edge_interrupt_callback(struct urb *urb) > /* grab the txcredits for the ports if available */ > position = 2; > portNumber = 0; > - while ((position < length) && > + while ((position < length - 1) && > (portNumber < edge_serial->serial->num_ports)) { > txCredits = data[position] | (data[position+1] << 8); > if (txCredits) { > -- > 1.8.3.1 > Johan, any objection from me taking this in my tree now? thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] USB: io_edgeport: fix slab-out-of-bounds Read in edge_interrupt_callback 2020-03-26 8:14 ` Greg KH @ 2020-03-26 8:21 ` Johan Hovold 2020-03-26 9:13 ` Johan Hovold 0 siblings, 1 reply; 5+ messages in thread From: Johan Hovold @ 2020-03-26 8:21 UTC (permalink / raw) To: Greg KH; +Cc: Qiujun Huang, johan, linux-usb, linux-kernel, anenbupt On Thu, Mar 26, 2020 at 09:14:33AM +0100, Greg Kroah-Hartman wrote: > On Wed, Mar 25, 2020 at 03:52:37PM +0800, Qiujun Huang wrote: > > The boundary condition should be (length - 1) as we access data[position+1]. > > > > Reported-and-tested-by: syzbot+37ba33391ad5f3935bbd@syzkaller.appspotmail.com > > Signed-off-by: Qiujun Huang <hqjagain@gmail.com> > > --- > > drivers/usb/serial/io_edgeport.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c > > index 5737add..4cca0b8 100644 > > --- a/drivers/usb/serial/io_edgeport.c > > +++ b/drivers/usb/serial/io_edgeport.c > > @@ -710,7 +710,7 @@ static void edge_interrupt_callback(struct urb *urb) > > /* grab the txcredits for the ports if available */ > > position = 2; > > portNumber = 0; > > - while ((position < length) && > > + while ((position < length - 1) && > > (portNumber < edge_serial->serial->num_ports)) { > > txCredits = data[position] | (data[position+1] << 8); > > if (txCredits) { > > -- > > 1.8.3.1 > > > > Johan, any objection from me taking this in my tree now? Just let me take a look at it first. Are sending another PR to Linus for 5.6? Otherwise I can include this in my 5.7 PR to you. Will try to get it to you today. Johan ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] USB: io_edgeport: fix slab-out-of-bounds Read in edge_interrupt_callback 2020-03-26 8:21 ` Johan Hovold @ 2020-03-26 9:13 ` Johan Hovold 2020-03-26 9:29 ` Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Johan Hovold @ 2020-03-26 9:13 UTC (permalink / raw) To: Greg KH; +Cc: Qiujun Huang, johan, linux-usb, linux-kernel, anenbupt On Thu, Mar 26, 2020 at 09:21:17AM +0100, Johan Hovold wrote: > On Thu, Mar 26, 2020 at 09:14:33AM +0100, Greg Kroah-Hartman wrote: > > On Wed, Mar 25, 2020 at 03:52:37PM +0800, Qiujun Huang wrote: > > > The boundary condition should be (length - 1) as we access data[position+1]. > > > > > > Reported-and-tested-by: syzbot+37ba33391ad5f3935bbd@syzkaller.appspotmail.com > > > Signed-off-by: Qiujun Huang <hqjagain@gmail.com> > > > --- > > > drivers/usb/serial/io_edgeport.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c > > > index 5737add..4cca0b8 100644 > > > --- a/drivers/usb/serial/io_edgeport.c > > > +++ b/drivers/usb/serial/io_edgeport.c > > > @@ -710,7 +710,7 @@ static void edge_interrupt_callback(struct urb *urb) > > > /* grab the txcredits for the ports if available */ > > > position = 2; > > > portNumber = 0; > > > - while ((position < length) && > > > + while ((position < length - 1) && > > > (portNumber < edge_serial->serial->num_ports)) { > > > txCredits = data[position] | (data[position+1] << 8); > > > if (txCredits) { > > > -- > > > 1.8.3.1 > > > > > > > Johan, any objection from me taking this in my tree now? > > Just let me take a look at it first. > > Are sending another PR to Linus for 5.6? Otherwise I can include this > in my 5.7 PR to you. Will try to get it to you today. This issue predates git so I'd add Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Acked-by: Johan Hovold <johan@kernel.org> if you want to take it yourself. Just let me know, otherwise I'll include in my PR. Johan ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] USB: io_edgeport: fix slab-out-of-bounds Read in edge_interrupt_callback 2020-03-26 9:13 ` Johan Hovold @ 2020-03-26 9:29 ` Greg KH 0 siblings, 0 replies; 5+ messages in thread From: Greg KH @ 2020-03-26 9:29 UTC (permalink / raw) To: Johan Hovold; +Cc: Qiujun Huang, linux-usb, linux-kernel, anenbupt On Thu, Mar 26, 2020 at 10:13:26AM +0100, Johan Hovold wrote: > On Thu, Mar 26, 2020 at 09:21:17AM +0100, Johan Hovold wrote: > > On Thu, Mar 26, 2020 at 09:14:33AM +0100, Greg Kroah-Hartman wrote: > > > On Wed, Mar 25, 2020 at 03:52:37PM +0800, Qiujun Huang wrote: > > > > The boundary condition should be (length - 1) as we access data[position+1]. > > > > > > > > Reported-and-tested-by: syzbot+37ba33391ad5f3935bbd@syzkaller.appspotmail.com > > > > Signed-off-by: Qiujun Huang <hqjagain@gmail.com> > > > > --- > > > > drivers/usb/serial/io_edgeport.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c > > > > index 5737add..4cca0b8 100644 > > > > --- a/drivers/usb/serial/io_edgeport.c > > > > +++ b/drivers/usb/serial/io_edgeport.c > > > > @@ -710,7 +710,7 @@ static void edge_interrupt_callback(struct urb *urb) > > > > /* grab the txcredits for the ports if available */ > > > > position = 2; > > > > portNumber = 0; > > > > - while ((position < length) && > > > > + while ((position < length - 1) && > > > > (portNumber < edge_serial->serial->num_ports)) { > > > > txCredits = data[position] | (data[position+1] << 8); > > > > if (txCredits) { > > > > -- > > > > 1.8.3.1 > > > > > > > > > > Johan, any objection from me taking this in my tree now? > > > > Just let me take a look at it first. > > > > Are sending another PR to Linus for 5.6? Otherwise I can include this > > in my 5.7 PR to you. Will try to get it to you today. > > This issue predates git so I'd add > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Cc: stable <stable@vger.kernel.org> > Acked-by: Johan Hovold <johan@kernel.org> > > if you want to take it yourself. Just let me know, otherwise I'll > include in my PR. I'm not sending anything to Linus for 5.6, so putting it in your 5.7 PR is fine. thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-26 9:29 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-03-25 7:52 [PATCH] USB: io_edgeport: fix slab-out-of-bounds Read in edge_interrupt_callback Qiujun Huang 2020-03-26 8:14 ` Greg KH 2020-03-26 8:21 ` Johan Hovold 2020-03-26 9:13 ` Johan Hovold 2020-03-26 9:29 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).