From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mx2.suse.de ([195.135.220.15]:36027 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S933008AbcCPON6 (ORCPT <rfc822;stable@vger.kernel.org>);
	Wed, 16 Mar 2016 10:13:58 -0400
Message-ID: <1458137469.6570.23.camel@suse.com>
Subject: Re: [PATCH] usb_driver_claim_interface: add sanity checking
From: Oliver Neukum <oneukum@suse.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: gregkh@linuxfoundation.org, linux-usb@vger.kernel.org,
	stable@vger.kernel.org
Date: Wed, 16 Mar 2016 15:11:09 +0100
In-Reply-To: <Pine.LNX.4.44L0.1603161007500.2250-100000@iolanthe.rowland.org>
References: <Pine.LNX.4.44L0.1603161007500.2250-100000@iolanthe.rowland.org>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Wed, 2016-03-16 at 10:08 -0400, Alan Stern wrote:
> On Wed, 16 Mar 2016, Oliver Neukum wrote:
> 
> > Attacks that trick drivers into passing a NULL pointer
> > to usb_driver_claim_interface() using forged descriptors are
> > known. This thwarts them by sanity checking.
> 
> I'm curious -- how do these attacks carry out their trickery?

They are using a programmable gadget.
http://seclists.org/bugtraq/2016/Mar/90

	HTH
		Oliver