diff options
| author | Xiao Han <[email protected]> | 2016-06-14 16:22:54 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <[email protected]> | 2016-08-09 15:45:59 +0200 |
| commit | 9c6256a5e707a9eb8b91962b550050b13aa75334 (patch) | |
| tree | bfd9bd5a35e7648fffe2353e36259b50cb0369cd /lib/mpi/mpi-bit.c | |
| parent | 28324936f3d672bbf83472fece8f36a158a52276 (diff) | |
usb: misc: ftdi-elan: Fix off-by-one memory corruptions
This patch fixes fives off-by-one bugs in the ftdi-elan driver code. The
bug can be triggered by plugging a USB adapter for CardBus 3G cards (model
U132 manufactured by Elan Digital Systems, Ltd), causing a kernel panic.
The fix was tested on Ubuntu 14.04.4 with 4.7.0-rc14.2.0-27-generic+ and
4.4.0-22-generic+ kernel. In the ftdi_elan_synchronize function, an
off-by-one memory corruption occurs when packet_bytes is equal or bigger
than m. After having read m bytes, that is bytes_read is equal to m, "
..\x00" is still copied to the stack variable causing an out bounds write
of 4 bytes, which overwrites the stack canary and results in a kernel
panic.
This off-by-one requires physical access to the machine. It is not
exploitable since we have no control on the overwritten data. Similar
off-by-one bugs have been observed in 4 other functions:
ftdi_elan_stuck_waiting, ftdi_elan_read, ftdi_elan_edset_output and
ftdi_elan_flush_input_fifo.
Reported-by: Alex Palesandro <[email protected]>
Signed-off-by: Xiao Han <[email protected]>
Tested-by: Paul Chaignon <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Diffstat (limited to 'lib/mpi/mpi-bit.c')
0 files changed, 0 insertions, 0 deletions