[PATCH] ISDN: hfcsusb: checking idx of ep configuration

From: Phong Tran
Date: Mon Jul 15 2019 - 11:08:36 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 5.2 182/249] ixgbe: Check DDM existence in transceiver before access"
Previous message: Sasha Levin: "[PATCH AUTOSEL 5.2 186/249] ath9k: correctly handle short radar pulses"
Next in thread: David Miller: "Re: [PATCH] ISDN: hfcsusb: checking idx of ep configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The syzbot test with random endpoint address which made the idx is
overflow in the table of endpoint configuations.

this adds the checking for fixing the error report from
syzbot

KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
The patch tested by syzbot [2]

Reported-by: syzbot+8750abbc3a46ef47d509@xxxxxxxxxxxxxxxxxxxxxxxxx

[1]:
https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
[2]:
https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ

Signed-off-by: Phong Tran <tranmanphong@xxxxxxxxx>
---
drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 4c99739b937e..0e224232f746 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1955,6 +1955,9 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id)

/* get endpoint base */
idx = ((ep_addr & 0x7f) - 1) * 2;
+ if (idx > 15)
+ return -EIO;
+
if (ep_addr & 0x80)
idx++;
attr = ep->desc.bmAttributes;
--
2.11.0

Next message: Sasha Levin: "[PATCH AUTOSEL 5.2 182/249] ixgbe: Check DDM existence in transceiver before access"
Previous message: Sasha Levin: "[PATCH AUTOSEL 5.2 186/249] ath9k: correctly handle short radar pulses"
Next in thread: David Miller: "Re: [PATCH] ISDN: hfcsusb: checking idx of ep configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]