| Message ID | 1532356855-12674-2-git-send-email-paolo.pisati@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | USB: serial: kl5kusb105: fix line-state error handling | expand |
On 07/23/18 16:40, Paolo Pisati wrote: > From: Johan Hovold <johan@kernel.org> > > CVE-2017-5549 > > The current implementation failed to detect short transfers when > attempting to read the line state, and also, to make things worse, > logged the content of the uninitialised heap transfer buffer. > > Fixes: abf492e7b3ae ("USB: kl5kusb105: fix DMA buffers on stack") > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Cc: stable <stable@vger.kernel.org> > Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Signed-off-by: Johan Hovold <johan@kernel.org> > (cherry picked from commit 146cc8a17a3b4996f6805ee5c080e7101277c410) > Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/usb/serial/kl5kusb105.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/drivers/usb/serial/kl5kusb105.c b/drivers/usb/serial/kl5kusb105.c > index 1b4054f..8f75faf 100644 > --- a/drivers/usb/serial/kl5kusb105.c > +++ b/drivers/usb/serial/kl5kusb105.c > @@ -198,10 +198,11 @@ static int klsi_105_get_line_state(struct usb_serial_port *port, > status_buf, KLSI_STATUSBUF_LEN, > 10000 > ); > - if (rc < 0) > - dev_err(&port->dev, "Reading line status failed (error = %d)\n", > - rc); > - else { > + if (rc != KLSI_STATUSBUF_LEN) { > + dev_err(&port->dev, "reading line status failed: %d\n", rc); > + if (rc >= 0) > + rc = -EIO; > + } else { > status = get_unaligned_le16(status_buf); > > dev_info(&port->serial->dev->dev, "read status %x %x", >
Applied to trusty master-next. ...Juerg On 07/23/2018 04:40 PM, Paolo Pisati wrote: > From: Johan Hovold <johan@kernel.org> > > CVE-2017-5549 > > The current implementation failed to detect short transfers when > attempting to read the line state, and also, to make things worse, > logged the content of the uninitialised heap transfer buffer. > > Fixes: abf492e7b3ae ("USB: kl5kusb105: fix DMA buffers on stack") > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Cc: stable <stable@vger.kernel.org> > Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Signed-off-by: Johan Hovold <johan@kernel.org> > (cherry picked from commit 146cc8a17a3b4996f6805ee5c080e7101277c410) > Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> > --- > drivers/usb/serial/kl5kusb105.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/drivers/usb/serial/kl5kusb105.c b/drivers/usb/serial/kl5kusb105.c > index 1b4054f..8f75faf 100644 > --- a/drivers/usb/serial/kl5kusb105.c > +++ b/drivers/usb/serial/kl5kusb105.c > @@ -198,10 +198,11 @@ static int klsi_105_get_line_state(struct usb_serial_port *port, > status_buf, KLSI_STATUSBUF_LEN, > 10000 > ); > - if (rc < 0) > - dev_err(&port->dev, "Reading line status failed (error = %d)\n", > - rc); > - else { > + if (rc != KLSI_STATUSBUF_LEN) { > + dev_err(&port->dev, "reading line status failed: %d\n", rc); > + if (rc >= 0) > + rc = -EIO; > + } else { > status = get_unaligned_le16(status_buf); > > dev_info(&port->serial->dev->dev, "read status %x %x", >
diff --git a/drivers/usb/serial/kl5kusb105.c b/drivers/usb/serial/kl5kusb105.c index 1b4054f..8f75faf 100644 --- a/drivers/usb/serial/kl5kusb105.c +++ b/drivers/usb/serial/kl5kusb105.c @@ -198,10 +198,11 @@ static int klsi_105_get_line_state(struct usb_serial_port *port, status_buf, KLSI_STATUSBUF_LEN, 10000 ); - if (rc < 0) - dev_err(&port->dev, "Reading line status failed (error = %d)\n", - rc); - else { + if (rc != KLSI_STATUSBUF_LEN) { + dev_err(&port->dev, "reading line status failed: %d\n", rc); + if (rc >= 0) + rc = -EIO; + } else { status = get_unaligned_le16(status_buf); dev_info(&port->serial->dev->dev, "read status %x %x",