www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Hui Peng <benquike@gmail.com>
	Wed, 12 Dec 2018 11:42:24 +0000 (12:42 +0100)
committer	Brian Maly <brian.maly@oracle.com>
	Fri, 10 May 2019 21:38:46 +0000 (17:38 -0400)
commit	0806f93d25d5b02a22d69546ceadf03957510a06
tree	8c8f06bca00c4930ff08428bf17c2c920e059283	tree
parent	1c64a805c49b69398b06f8bd3cbf91f6041ce404	commit \| diff

USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data

The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data.

Add a length check for both locations and updated hso_probe to bail on
error.

This issue has been assigned CVE-2018-19985.

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 5146f95df782b0ac61abde36567e718692725c89)

Orabug: 29605982
CVE: CVE-2018-19985

Reviewed-by: Jack Vogel <jack.vogel@oracle.com>
Signed-off-by: Allen Pais <allen.pais@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>