[PATCH] usbip: vhci_hcd: check port number before using

From: Sudip Mukherjee
Date: Mon Oct 08 2018 - 15:19:30 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.4 031/113] ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge"
Previous message: Vijay Khemka: "Re: [PATCH net-next 1/2] net/ncsi: Add NCSI Broadcom OEM command"
Next in thread: Shuah Khan: "Re: [PATCH] usbip: vhci_hcd: check port number before using"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sudip Mukherjee <sudipm.mukherjee@xxxxxxxxx>

The port number is checked and it just prints an error message but it
still continues to use the invalid port. And as a result it accesses
memory which is not its resulting in BUG report from KASAN.

Reported-by: syzbot+600b03e0cf1b73bb23c4@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: stable <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@xxxxxxxxx>
---
drivers/usb/usbip/vhci_hcd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index d11f3f8dad40..71883aa788ac 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -334,8 +334,10 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
usbip_dbg_vhci_rh("typeReq %x wValue %x wIndex %x\n", typeReq, wValue,
wIndex);

- if (wIndex > VHCI_HC_PORTS)
+ if (wIndex > VHCI_HC_PORTS) {
pr_err("invalid port number %d\n", wIndex);
+ return -ENODEV;
+ }
rhport = wIndex - 1;

vhci_hcd = hcd_to_vhci_hcd(hcd);
--
2.11.0

Next message: Greg Kroah-Hartman: "[PATCH 4.4 031/113] ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge"
Previous message: Vijay Khemka: "Re: [PATCH net-next 1/2] net/ncsi: Add NCSI Broadcom OEM command"
Next in thread: Shuah Khan: "Re: [PATCH] usbip: vhci_hcd: check port number before using"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]