[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen: fix potential shift out-of-bounds in xenhcd_hub_control()

  • To: Zhang Shurong <zhang_shurong@xxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 26 Jun 2023 07:48:05 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5OIfhZel9OSIrMnwV9oqQHwKNabLshgbuxOifQmEuME=; b=n2nY33vbEHPNnUclYBujDTni5548h3VaKnjyC6VKHjmC4t4mx4qwtLWDyuYgTUOf9/ZocoAUTNw7LcT+L0FFxeeB862giB6xc4TkGB86gSvMuUmBoLCyrKYsGu5usUBRZOhGBDc9dzQ45eYtWpN3/ycMbZ8qGriTx9zL/G+crIAHeW+xAD+DHzZTO4FK/a/lDeQvzMdUVUeGhCsWvcZwvcEd8Vqw5NkoIbirUmgl+eP3ccEuRynsMs6Itdx2EPMAfq9jaL63fC/6enrX91hzKGhcGegvKa3j9YHY2sTcWVEJeaB4nwwNrs/LYXxVx4WKHmUoE2xNKOoGpagMPJoAsw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nGALV/Bgjr9Zgr/jaXsWO667wUCIXnS00EhJbUAORrfQcoT800jr6YNULnserDwGYs7neQhVbR9BjgrdRrzjkMGWel8L/yestQU4LbT4gExU/4O7/T1+4BjJxwyVODjAq+myIaVsD8Uzs2Cf6V3HKlrO4URS5Eo18MLFhUgWTRaDlWAb/2vMkBwG+iQ+MaNpczUO7Yg3uKKppC/+RrfccMtBi+9JVIXMSaVMsHNzJCGLH7V5RF+BDbCiUyb2MxFpu4yRNFJ6Uwj7IV3UW6JceCloSFNaqmGdJRvze8sUl8Sf4eQbnw6xh2jgSv5zSFGOHeAJDcngWrGvPW/DGNojyw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: gregkh@xxxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-usb@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, jgross@xxxxxxxx
  • Delivery-date: Mon, 26 Jun 2023 05:48:14 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 25.06.2023 18:42, Zhang Shurong wrote:
> --- a/drivers/usb/host/xen-hcd.c
> +++ b/drivers/usb/host/xen-hcd.c
> @@ -456,6 +456,8 @@ static int xenhcd_hub_control(struct usb_hcd *hcd, __u16 
> typeReq, __u16 wValue,
>                       info->ports[wIndex - 1].c_connection = false;
>                       fallthrough;
>               default:
> +                     if (wValue >= 32)
> +                             goto error;
>                       info->ports[wIndex - 1].status &= ~(1 << wValue);

Even 31 is out of bounds (as in: UB) as long as it's 1 here rather
than 1u.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.