From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:37949 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752822AbcIIOhl (ORCPT
        <rfc822;stable@vger.kernel.org>); Fri, 9 Sep 2016 10:37:41 -0400
Subject: Patch "cdc-acm: added sanity checking for probe()" has been added to the 4.7-stable tree
To: oneukum@suse.com, bsharet@cisco.com, gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Fri, 09 Sep 2016 16:37:42 +0200
In-Reply-To: <1473326850-5056-1-git-send-email-oneukum@suse.com>
Message-ID: <147343186211125@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    cdc-acm: added sanity checking for probe()

to the 4.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cdc-acm-added-sanity-checking-for-probe.patch
and it can be found in the queue-4.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From oneukum@suse.com  Fri Sep  9 16:15:08 2016
From: Oliver Neukum <oneukum@suse.com>
Date: Thu,  8 Sep 2016 11:27:30 +0200
Subject: cdc-acm: added sanity checking for probe()
To: stable@vger.kernel.org, jslaby@suse.com
Cc: Oliver Neukum <oneukum@suse.com>
Message-ID: <1473326850-5056-1-git-send-email-oneukum@suse.com>

From: Oliver Neukum <oneukum@suse.com>

This is an alternative to eccf2a4e6b64d249929acc1f7aaa2ab0fb199d3d
which inadvertedly fixes an oops in probe by a device returning
malformed descriptors. The problem allows a malicious device to
attack the kernel.
That patch in v4.8 is too extensive to backport to stable.
Thus this alternative fix is needed up to v4.7

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: Binyamin Sharet <bsharet@cisco.com>
Tested-by: Binyamin Sharet <bsharet@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/class/cdc-acm.c |   18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1196,6 +1196,8 @@ static int acm_probe(struct usb_interfac
 	}
 
 	if (!buflen) {
+		if (!intf->cur_altsetting || !intf->cur_altsetting->endpoint)
+			return -EINVAL;
 		if (intf->cur_altsetting->endpoint &&
 				intf->cur_altsetting->endpoint->extralen &&
 				intf->cur_altsetting->endpoint->extra) {
@@ -1276,6 +1278,8 @@ next_desc:
 				data_interface = usb_ifnum_to_if(usb_dev, (data_interface_num = call_interface_num));
 			control_interface = intf;
 		} else {
+			if (!intf->cur_altsetting)
+				return -ENODEV;
 			if (intf->cur_altsetting->desc.bNumEndpoints != 3) {
 				dev_dbg(&intf->dev,"No union descriptor, giving up\n");
 				return -ENODEV;
@@ -1305,15 +1309,22 @@ next_desc:
 		combined_interfaces = 1;
 		/* a popular other OS doesn't use it */
 		quirks |= NO_CAP_LINE;
+		if (!data_interface->cur_altsetting)
+			return -EINVAL;
 		if (data_interface->cur_altsetting->desc.bNumEndpoints != 3) {
 			dev_err(&intf->dev, "This needs exactly 3 endpoints\n");
 			return -EINVAL;
 		}
 look_for_collapsed_interface:
+		if (!data_interface->cur_altsetting)
+			return -EINVAL;
 		for (i = 0; i < 3; i++) {
 			struct usb_endpoint_descriptor *ep;
 			ep = &data_interface->cur_altsetting->endpoint[i].desc;
 
+			if (!ep)
+				return -ENODEV;
+
 			if (usb_endpoint_is_int_in(ep))
 				epctrl = ep;
 			else if (usb_endpoint_is_bulk_out(ep))
@@ -1332,8 +1343,12 @@ look_for_collapsed_interface:
 skip_normal_probe:
 
 	/*workaround for switched interfaces */
+	if (!data_interface->cur_altsetting)
+		return -EINVAL;
 	if (data_interface->cur_altsetting->desc.bInterfaceClass
 						!= CDC_DATA_INTERFACE_TYPE) {
+		if (!control_interface->cur_altsetting)
+			return -EINVAL;
 		if (control_interface->cur_altsetting->desc.bInterfaceClass
 						== CDC_DATA_INTERFACE_TYPE) {
 			dev_dbg(&intf->dev,
@@ -1356,6 +1371,7 @@ skip_normal_probe:
 
 
 	if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 ||
+	    !control_interface->cur_altsetting ||
 	    control_interface->cur_altsetting->desc.bNumEndpoints == 0)
 		return -EINVAL;
 
@@ -1363,6 +1379,8 @@ skip_normal_probe:
 	epread = &data_interface->cur_altsetting->endpoint[0].desc;
 	epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
 
+	if (!epctrl || !epread || !epwrite)
+		return -ENODEV;
 
 	/* workaround for switched endpoints */
 	if (!usb_endpoint_dir_in(epread)) {


Patches currently in stable-queue which might be from oneukum@suse.com are

queue-4.7/cdc-acm-added-sanity-checking-for-probe.patch