ISDN: hfcsusb: checking idx of ep configuration [Linux 4.9.187]

This Linux kernel change "ISDN: hfcsusb: checking idx of ep configuration" is included in the Linux 4.9.187 release. This change is authored by Phong Tran <tranmanphong [at] gmail.com> on Mon Jul 15 22:08:14 2019 +0700. The commit for this change in Linux stable tree is af34434 (patch) which is from upstream commit f384e62. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream f384e62.

ISDN: hfcsusb: checking idx of ep configuration

commit f384e62a82ba5d85408405fdd6aeff89354deaa9 upstream.

The syzbot test with random endpoint address which made the idx is
overflow in the table of endpoint configuations.

this adds the checking for fixing the error report from
syzbot

KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
The patch tested by syzbot [2]

Reported-by: [email protected]

[1]:
https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
[2]:
https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ

Signed-off-by: Phong Tran <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

There are 3 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 114f3bc..c60c799 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1963,6 +1963,9 @@ static int write_reg(struct hfcsusb *hw, __u8 reg, __u8 val)

                /* get endpoint base */
                idx = ((ep_addr & 0x7f) - 1) * 2;
+               if (idx > 15)
+                   return -EIO;
+
                if (ep_addr & 0x80)
                    idx++;
                attr = ep->desc.bmAttributes;

Leave a Reply

Your email address will not be published. Required fields are marked *