From patchwork Mon Apr 7 13:00:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Alexey V. Vissarionov" X-Patchwork-Id: 14040472 Received: from air.basealt.ru (air.basealt.ru [193.43.8.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB343253B45 for ; Mon, 7 Apr 2025 13:00:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.43.8.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744030808; cv=none; b=sCUTm6+QGw90KjVB/UgR7XT29nN/77bhhDO/ks/DvfPaqEaO1XRfJ1CXHZk+rluJ0UGjUclwbF0X1pLZ3KRzYH9YNugAzzUz/beGmY21KBZVU1hDeC4QpbRfv+L1x0VbJUe0vm1X5Mcvo/1RrQR43LpjpT8sHJqa+jsoRznYDTo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744030808; c=relaxed/simple; bh=qxjFp0An00bjO2E5AEYaVXSrH+pzwIMGKPbeM1ipYlk=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=qhKM8YL23gi8YipzcytVxLTWD5iUk7DnDYf53ODB+84+9bhbi6lKSkp8me1Xh9mfK75RGAoHyXkq6QGmmNEQpMiu0+V8tsmZwCPvuTjbuq3JpIc/BpOG7eDC1Dr+2+oykphz7rG79GPBt+oPnAzYHDVgrByJReiI3p9EXAVGPXw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org; spf=pass smtp.mailfrom=basealt.ru; arc=none smtp.client-ip=193.43.8.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=basealt.ru Received: from localhost (broadband-46-242-4-129.ip.moscow.rt.ru [46.242.4.129]) (Authenticated sender: gremlin) by air.basealt.ru (Postfix) with ESMTPSA id E5E42233A2; Mon, 7 Apr 2025 16:00:01 +0300 (MSK) Date: Mon, 7 Apr 2025 16:00:00 +0300 From: "Alexey V. Vissarionov" To: Matthieu CASTET Cc: Stanislaw Gruszka , Greg Kroah-Hartman , Andrew Morton , linux-usb@vger.kernel.org, lvc-project@linuxtesting.org, gremlin@altlinux.org Subject: [PATCH] ueagle-atm: enforce boundary check for sync_wait[] Message-ID: <20250407130000.GD20970@altlinux.org> Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline After several increments of modem_index (e.g. after plugging and removing the device several times) modem_index may reach NB_MODEM value causing the out-of-boundary sync_wait[] array access. Found by ALT Linux Team (altlinux.org) and Linux Verification Center (linuxtesting.org). Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") Signed-off-by: Alexey V. Vissarionov Acked-by: Stanislaw Gruszka --- drivers/usb/atm/ueagle-atm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c index cd0f7b4bd82ab132..436412b62c910e2f 100644 --- a/drivers/usb/atm/ueagle-atm.c +++ b/drivers/usb/atm/ueagle-atm.c @@ -2500,7 +2500,9 @@ static int uea_bind(struct usbatm_data *usbatm, struct usb_interface *intf, if (ifnum != UEA_INTR_IFACE_NO) return -ENODEV; - usbatm->flags = (sync_wait[modem_index] ? 0 : UDSL_SKIP_HEAVY_INIT); + usbatm->flags = + modem_index < NB_MODEM && sync_wait[modem_index] ? + 0 : UDSL_SKIP_HEAVY_INIT; /* interface 1 is for outbound traffic */ ret = claim_interface(usb, usbatm, UEA_US_IFACE_NO);