All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2 0/3] staging: gigaset: fix crashes on probe
@ 2019-12-02  8:56 Johan Hovold
  2019-12-02  8:56 ` [PATCH v2 1/3] staging: gigaset: fix general protection fault " Johan Hovold
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Johan Hovold @ 2019-12-02  8:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: devel, linux-kernel, linux-usb, Johan Hovold

Syzbot has been reporting a GPF on probe in the gigaset ISDN driver,
which have since been moved to staging.

The first patch fixes that issue, and the next one fixes a second crash
found during testing.

The third patch addresses a benign warning in USB core which syzbot is
bound to report once the crashes have been fixed.

Johan


Changes in v2
 - use usb_endpoint_is_bulk_out() and friends in patch 3/3, and drop
   patch 4/4 which only renamed an identifier.


Johan Hovold (3):
  staging: gigaset: fix general protection fault on probe
  staging: gigaset: fix illegal free on probe errors
  staging: gigaset: add endpoint-type sanity check

 drivers/staging/isdn/gigaset/usb-gigaset.c | 23 +++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

-- 
2.24.0


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH v2 1/3] staging: gigaset: fix general protection fault on probe
  2019-12-02  8:56 [PATCH v2 0/3] staging: gigaset: fix crashes on probe Johan Hovold
@ 2019-12-02  8:56 ` Johan Hovold
  2019-12-02  8:56 ` [PATCH v2 2/3] staging: gigaset: fix illegal free on probe errors Johan Hovold
  2019-12-02  8:56 ` [PATCH v2 3/3] staging: gigaset: add endpoint-type sanity check Johan Hovold
  2 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2019-12-02  8:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: devel, linux-kernel, linux-usb, Johan Hovold,
	syzbot+35b1c403a14f5c89eba7, stable, Hansjoerg Lipp,
	Tilman Schmidt

Fix a general protection fault when accessing the endpoint descriptors
which could be triggered by a malicious device due to missing sanity
checks on the number of endpoints.

Reported-by: syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com
Fixes: 07dc1f9f2f80 ("[PATCH] isdn4linux: Siemens Gigaset drivers - M105 USB DECT adapter")
Cc: stable <stable@vger.kernel.org>     # 2.6.17
Cc: Hansjoerg Lipp <hjlipp@web.de>
Cc: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/staging/isdn/gigaset/usb-gigaset.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/staging/isdn/gigaset/usb-gigaset.c b/drivers/staging/isdn/gigaset/usb-gigaset.c
index 1b9b43659bdf..5e393e7dde45 100644
--- a/drivers/staging/isdn/gigaset/usb-gigaset.c
+++ b/drivers/staging/isdn/gigaset/usb-gigaset.c
@@ -685,6 +685,11 @@ static int gigaset_probe(struct usb_interface *interface,
 		return -ENODEV;
 	}
 
+	if (hostif->desc.bNumEndpoints < 2) {
+		dev_err(&interface->dev, "missing endpoints\n");
+		return -ENODEV;
+	}
+
 	dev_info(&udev->dev, "%s: Device matched ... !\n", __func__);
 
 	/* allocate memory for our device state and initialize it */
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH v2 2/3] staging: gigaset: fix illegal free on probe errors
  2019-12-02  8:56 [PATCH v2 0/3] staging: gigaset: fix crashes on probe Johan Hovold
  2019-12-02  8:56 ` [PATCH v2 1/3] staging: gigaset: fix general protection fault " Johan Hovold
@ 2019-12-02  8:56 ` Johan Hovold
  2019-12-02  8:56 ` [PATCH v2 3/3] staging: gigaset: add endpoint-type sanity check Johan Hovold
  2 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2019-12-02  8:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: devel, linux-kernel, linux-usb, Johan Hovold, stable,
	Tilman Schmidt

The driver failed to initialise its receive-buffer pointer, something
which could lead to an illegal free on late probe errors.

Fix this by making sure to clear all driver data at allocation.

Fixes: 2032e2c2309d ("usb_gigaset: code cleanup")
Cc: stable <stable@vger.kernel.org>     # 2.6.33
Cc: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/staging/isdn/gigaset/usb-gigaset.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/staging/isdn/gigaset/usb-gigaset.c b/drivers/staging/isdn/gigaset/usb-gigaset.c
index 5e393e7dde45..a84722d83bc6 100644
--- a/drivers/staging/isdn/gigaset/usb-gigaset.c
+++ b/drivers/staging/isdn/gigaset/usb-gigaset.c
@@ -571,8 +571,7 @@ static int gigaset_initcshw(struct cardstate *cs)
 {
 	struct usb_cardstate *ucs;
 
-	cs->hw.usb = ucs =
-		kmalloc(sizeof(struct usb_cardstate), GFP_KERNEL);
+	cs->hw.usb = ucs = kzalloc(sizeof(struct usb_cardstate), GFP_KERNEL);
 	if (!ucs) {
 		pr_err("out of memory\n");
 		return -ENOMEM;
@@ -584,9 +583,6 @@ static int gigaset_initcshw(struct cardstate *cs)
 	ucs->bchars[3] = 0;
 	ucs->bchars[4] = 0x11;
 	ucs->bchars[5] = 0x13;
-	ucs->bulk_out_buffer = NULL;
-	ucs->bulk_out_urb = NULL;
-	ucs->read_urb = NULL;
 	tasklet_init(&cs->write_tasklet,
 		     gigaset_modem_fill, (unsigned long) cs);
 
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH v2 3/3] staging: gigaset: add endpoint-type sanity check
  2019-12-02  8:56 [PATCH v2 0/3] staging: gigaset: fix crashes on probe Johan Hovold
  2019-12-02  8:56 ` [PATCH v2 1/3] staging: gigaset: fix general protection fault " Johan Hovold
  2019-12-02  8:56 ` [PATCH v2 2/3] staging: gigaset: fix illegal free on probe errors Johan Hovold
@ 2019-12-02  8:56 ` Johan Hovold
  2 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2019-12-02  8:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: devel, linux-kernel, linux-usb, Johan Hovold

Add missing endpoint-type sanity checks to probe.

This specifically prevents a warning in USB core on URB submission when
fuzzing USB descriptors.

Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/staging/isdn/gigaset/usb-gigaset.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/staging/isdn/gigaset/usb-gigaset.c b/drivers/staging/isdn/gigaset/usb-gigaset.c
index a84722d83bc6..a20c0bfa68f3 100644
--- a/drivers/staging/isdn/gigaset/usb-gigaset.c
+++ b/drivers/staging/isdn/gigaset/usb-gigaset.c
@@ -705,6 +705,12 @@ static int gigaset_probe(struct usb_interface *interface,
 
 	endpoint = &hostif->endpoint[0].desc;
 
+	if (!usb_endpoint_is_bulk_out(endpoint)) {
+		dev_err(&interface->dev, "missing bulk-out endpoint\n");
+		retval = -ENODEV;
+		goto error;
+	}
+
 	buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
 	ucs->bulk_out_size = buffer_size;
 	ucs->bulk_out_epnum = usb_endpoint_num(endpoint);
@@ -724,6 +730,12 @@ static int gigaset_probe(struct usb_interface *interface,
 
 	endpoint = &hostif->endpoint[1].desc;
 
+	if (!usb_endpoint_is_int_in(endpoint)) {
+		dev_err(&interface->dev, "missing int-in endpoint\n");
+		retval = -ENODEV;
+		goto error;
+	}
+
 	ucs->busy = 0;
 
 	ucs->read_urb = usb_alloc_urb(0, GFP_KERNEL);
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-02  8:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-12-02  8:56 [PATCH v2 0/3] staging: gigaset: fix crashes on probe Johan Hovold
2019-12-02  8:56 ` [PATCH v2 1/3] staging: gigaset: fix general protection fault " Johan Hovold
2019-12-02  8:56 ` [PATCH v2 2/3] staging: gigaset: fix illegal free on probe errors Johan Hovold
2019-12-02  8:56 ` [PATCH v2 3/3] staging: gigaset: add endpoint-type sanity check Johan Hovold

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.