mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-28 11:18:45 +07:00
9c6256a5e7
This patch fixes fives off-by-one bugs in the ftdi-elan driver code. The bug can be triggered by plugging a USB adapter for CardBus 3G cards (model U132 manufactured by Elan Digital Systems, Ltd), causing a kernel panic. The fix was tested on Ubuntu 14.04.4 with 4.7.0-rc14.2.0-27-generic+ and 4.4.0-22-generic+ kernel. In the ftdi_elan_synchronize function, an off-by-one memory corruption occurs when packet_bytes is equal or bigger than m. After having read m bytes, that is bytes_read is equal to m, " ..\x00" is still copied to the stack variable causing an out bounds write of 4 bytes, which overwrites the stack canary and results in a kernel panic. This off-by-one requires physical access to the machine. It is not exploitable since we have no control on the overwritten data. Similar off-by-one bugs have been observed in 4 other functions: ftdi_elan_stuck_waiting, ftdi_elan_read, ftdi_elan_edset_output and ftdi_elan_flush_input_fifo. Reported-by: Alex Palesandro <palexster@gmail.com> Signed-off-by: Xiao Han <xiao.han@orange.fr> Tested-by: Paul Chaignon <pchaigno@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| sisusbvga | ||
| adutux.c | ||
| appledisplay.c | ||
| chaoskey.c | ||
| cypress_cy7c63.c | ||
| cytherm.c | ||
| ehset.c | ||
| emi26.c | ||
| emi62.c | ||
| ezusb.c | ||
| ftdi-elan.c | ||
| idmouse.c | ||
| iowarrior.c | ||
| isight_firmware.c | ||
| Kconfig | ||
| ldusb.c | ||
| legousbtower.c | ||
| lvstest.c | ||
| Makefile | ||
| rio500_usb.h | ||
| rio500.c | ||
| trancevibrator.c | ||
| ucsi.c | ||
| ucsi.h | ||
| usb3503.c | ||
| usb_u132.h | ||
| usblcd.c | ||
| usbsevseg.c | ||
| usbtest.c | ||
| uss720.c | ||
| yurex.c | ||