* [PATCH] usb_driver_claim_interface: add sanity checking
@ 2016-03-16 12:26 Oliver Neukum
2016-03-16 14:08 ` Alan Stern
0 siblings, 1 reply; 3+ messages in thread
From: Oliver Neukum @ 2016-03-16 12:26 UTC (permalink / raw)
To: linux-usb, gregkh; +Cc: Oliver Neukum, Oliver Neukum, stable
Attacks that trick drivers into passing a NULL pointer
to usb_driver_claim_interface() using forged descriptors are
known. This thwarts them by sanity checking.
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
---
drivers/usb/core/driver.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index 56593a9..2057d91 100644
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -502,11 +502,15 @@ static int usb_unbind_interface(struct device *dev)
int usb_driver_claim_interface(struct usb_driver *driver,
struct usb_interface *iface, void *priv)
{
- struct device *dev = &iface->dev;
+ struct device *dev;
struct usb_device *udev;
int retval = 0;
int lpm_disable_error;
+ if (!iface)
+ return -ENODEV;
+
+ dev = &iface->dev;
if (dev->driver)
return -EBUSY;
--
2.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] usb_driver_claim_interface: add sanity checking
2016-03-16 12:26 [PATCH] usb_driver_claim_interface: add sanity checking Oliver Neukum
@ 2016-03-16 14:08 ` Alan Stern
2016-03-16 14:11 ` Oliver Neukum
0 siblings, 1 reply; 3+ messages in thread
From: Alan Stern @ 2016-03-16 14:08 UTC (permalink / raw)
To: Oliver Neukum; +Cc: linux-usb, gregkh, stable
On Wed, 16 Mar 2016, Oliver Neukum wrote:
> Attacks that trick drivers into passing a NULL pointer
> to usb_driver_claim_interface() using forged descriptors are
> known. This thwarts them by sanity checking.
I'm curious -- how do these attacks carry out their trickery?
Alan Stern
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] usb_driver_claim_interface: add sanity checking
2016-03-16 14:08 ` Alan Stern
@ 2016-03-16 14:11 ` Oliver Neukum
0 siblings, 0 replies; 3+ messages in thread
From: Oliver Neukum @ 2016-03-16 14:11 UTC (permalink / raw)
To: Alan Stern; +Cc: gregkh, linux-usb, stable
On Wed, 2016-03-16 at 10:08 -0400, Alan Stern wrote:
> On Wed, 16 Mar 2016, Oliver Neukum wrote:
>
> > Attacks that trick drivers into passing a NULL pointer
> > to usb_driver_claim_interface() using forged descriptors are
> > known. This thwarts them by sanity checking.
>
> I'm curious -- how do these attacks carry out their trickery?
They are using a programmable gadget.
http://seclists.org/bugtraq/2016/Mar/90
HTH
Oliver
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-03-16 14:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-16 12:26 [PATCH] usb_driver_claim_interface: add sanity checking Oliver Neukum
2016-03-16 14:08 ` Alan Stern
2016-03-16 14:11 ` Oliver Neukum
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.