stabilize-9592.15.B-chromeos-3.10 - chromiumos/third_party/kernel

commit	7cb9f1ba6af767620ded214d0391169d192e43b2	[log] [tgz]
author	Johan Hovold <johan@kernel.org>	Mon Mar 06 16:36:40 2017
committer	chrome-bot <chrome-bot@chromium.org>	Thu May 25 17:24:46 2017
tree	35641a4167022ee7ad66b1ba2b64dedd25bae27f
parent	f1950c663646bd12133474e6c125cfd27d1c02e8 [diff]

UPSTREAM: USB: serial: io_ti: fix information leak in completion handler

Add missing sanity check to the bulk-in completion handler to avoid an
integer underflow that can be triggered by a malicious device.

This avoids leaking 128 kB of memory content from after the URB transfer
buffer to user space.

BUG=chromium:725017
TEST=Build and run

Change-Id: I5e6c6c6f09b06637f1f96bf7c7dfe32bf4ec14ff
Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>	# 2.6.30
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 654b404f2a2)
Reviewed-on: https://chromium-review.googlesource.com/514444
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit 684dbc9bd2478f727cbd712bcad8e3fd0343a561)
Reviewed-on: https://chromium-review.googlesource.com/515204

drivers/usb/serial/io_ti.c[diff]

1 file changed

tree: 35641a4167022ee7ad66b1ba2b64dedd25bae27f