diff options
| -rw-r--r-- | series | 1 | ||||
| -rw-r--r-- | usb-serial-visor-handle-potential-invalid-device-configuration.patch | 113 |
2 files changed, 114 insertions, 0 deletions
@@ -1,5 +1,6 @@ # +usb-serial-visor-handle-potential-invalid-device-configuration.patch usb_DEVICE_ATTR.patch diff --git a/usb-serial-visor-handle-potential-invalid-device-configuration.patch b/usb-serial-visor-handle-potential-invalid-device-configuration.patch new file mode 100644 index 00000000000000..15f465118ab947 --- /dev/null +++ b/usb-serial-visor-handle-potential-invalid-device-configuration.patch @@ -0,0 +1,113 @@ +From foo@baz Sun Apr 29 17:37:43 CEST 2018 +Date: Sun, 29 Apr 2018 17:37:43 +0200 +To: Greg KH <gregkh@linuxfoundation.org> +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Subject: [PATCH] USB: serial: visor: handle potential invalid device configuration + +If we get an invalid device configuration from a palm 3 type device, we +might incorrectly parse things, and we have the potential to crash in +"interesting" ways. + +Fix this up by verifying the size of the configuration passed to us by +the device, and only if it is correct, will we handle it. + +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Reviewed-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + +Here is my long-forgotten patch for the visor driver to resolve an issue +that Andrey found back in September of 2017. Sorry for the long delay. + +Johan, I incorporated your review comments of my original one-off patch +here as well. + + +diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c +index f5373ed2cd45..8ddbecc25d89 100644 +--- a/drivers/usb/serial/visor.c ++++ b/drivers/usb/serial/visor.c +@@ -335,47 +335,48 @@ static int palm_os_3_probe(struct usb_serial *serial, + goto exit; + } + +- if (retval == sizeof(*connection_info)) { +- connection_info = (struct visor_connection_info *) +- transfer_buffer; +- +- num_ports = le16_to_cpu(connection_info->num_ports); +- for (i = 0; i < num_ports; ++i) { +- switch ( +- connection_info->connections[i].port_function_id) { +- case VISOR_FUNCTION_GENERIC: +- string = "Generic"; +- break; +- case VISOR_FUNCTION_DEBUGGER: +- string = "Debugger"; +- break; +- case VISOR_FUNCTION_HOTSYNC: +- string = "HotSync"; +- break; +- case VISOR_FUNCTION_CONSOLE: +- string = "Console"; +- break; +- case VISOR_FUNCTION_REMOTE_FILE_SYS: +- string = "Remote File System"; +- break; +- default: +- string = "unknown"; +- break; +- } +- dev_info(dev, "%s: port %d, is for %s use\n", +- serial->type->description, +- connection_info->connections[i].port, string); +- } ++ if (retval != sizeof(*connection_info)) { ++ dev_err(dev, "Invalid connection information received from device\n"); ++ retval = -ENODEV; ++ goto exit; + } +- /* +- * Handle devices that report invalid stuff here. +- */ ++ ++ connection_info = (struct visor_connection_info *)transfer_buffer; ++ ++ num_ports = le16_to_cpu(connection_info->num_ports); ++ ++ /* Handle devices that report invalid stuff here. */ + if (num_ports == 0 || num_ports > 2) { + dev_warn(dev, "%s: No valid connect info available\n", + serial->type->description); + num_ports = 2; + } + ++ for (i = 0; i < num_ports; ++i) { ++ switch (connection_info->connections[i].port_function_id) { ++ case VISOR_FUNCTION_GENERIC: ++ string = "Generic"; ++ break; ++ case VISOR_FUNCTION_DEBUGGER: ++ string = "Debugger"; ++ break; ++ case VISOR_FUNCTION_HOTSYNC: ++ string = "HotSync"; ++ break; ++ case VISOR_FUNCTION_CONSOLE: ++ string = "Console"; ++ break; ++ case VISOR_FUNCTION_REMOTE_FILE_SYS: ++ string = "Remote File System"; ++ break; ++ default: ++ string = "unknown"; ++ break; ++ } ++ dev_info(dev, "%s: port %d, is for %s use\n", ++ serial->type->description, ++ connection_info->connections[i].port, string); ++ } + dev_info(dev, "%s: Number of ports: %d\n", serial->type->description, + num_ports); + |