* [PATCH] cdc-acm: added sanity checking for probe()
@ 2016-09-08 9:27 Oliver Neukum
2016-09-09 14:37 ` Patch "cdc-acm: added sanity checking for probe()" has been added to the 4.7-stable tree gregkh
0 siblings, 1 reply; 2+ messages in thread
From: Oliver Neukum @ 2016-09-08 9:27 UTC (permalink / raw)
To: stable, jslaby; +Cc: Oliver Neukum
This is an alternative to eccf2a4e6b64d249929acc1f7aaa2ab0fb199d3d
which inadvertedly fixes an oops in probe by a device returning
malformed descriptors. The problem allows a malicious device to
attack the kernel.
That patch in v4.8 is too extensive to backport to stable.
Thus this alternative fix is needed up to v4.7
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: Binyamin Sharet <bsharet@cisco.com>
Tested-by: Binyamin Sharet <bsharet@cisco.com>
---
drivers/usb/class/cdc-acm.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index ba6b978..d54e2c7 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1002,6 +1002,8 @@ static int acm_probe(struct usb_interface *intf,
}
if (!buflen) {
+ if (!intf->cur_altsetting || !intf->cur_altsetting->endpoint)
+ return -EINVAL;
if (intf->cur_altsetting->endpoint &&
intf->cur_altsetting->endpoint->extralen &&
intf->cur_altsetting->endpoint->extra) {
@@ -1069,6 +1071,8 @@ next_desc:
data_interface = usb_ifnum_to_if(usb_dev, (data_interface_num = call_interface_num));
control_interface = intf;
} else {
+ if (!intf->cur_altsetting)
+ return -ENODEV;
if (intf->cur_altsetting->desc.bNumEndpoints != 3) {
dev_dbg(&intf->dev,"No union descriptor, giving up\n");
return -ENODEV;
@@ -1098,15 +1102,22 @@ next_desc:
combined_interfaces = 1;
/* a popular other OS doesn't use it */
quirks |= NO_CAP_LINE;
+ if (!data_interface->cur_altsetting)
+ return -EINVAL;
if (data_interface->cur_altsetting->desc.bNumEndpoints != 3) {
dev_err(&intf->dev, "This needs exactly 3 endpoints\n");
return -EINVAL;
}
look_for_collapsed_interface:
+ if (!data_interface->cur_altsetting)
+ return -EINVAL;
for (i = 0; i < 3; i++) {
struct usb_endpoint_descriptor *ep;
ep = &data_interface->cur_altsetting->endpoint[i].desc;
+ if (!ep)
+ return -ENODEV;
+
if (usb_endpoint_is_int_in(ep))
epctrl = ep;
else if (usb_endpoint_is_bulk_out(ep))
@@ -1125,8 +1136,12 @@ look_for_collapsed_interface:
skip_normal_probe:
/*workaround for switched interfaces */
+ if (!data_interface->cur_altsetting)
+ return -EINVAL;
if (data_interface->cur_altsetting->desc.bInterfaceClass
!= CDC_DATA_INTERFACE_TYPE) {
+ if (!control_interface->cur_altsetting)
+ return -EINVAL;
if (control_interface->cur_altsetting->desc.bInterfaceClass
== CDC_DATA_INTERFACE_TYPE) {
struct usb_interface *t;
@@ -1152,6 +1167,7 @@ skip_normal_probe:
if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 ||
+ !control_interface->cur_altsetting ||
control_interface->cur_altsetting->desc.bNumEndpoints == 0)
return -EINVAL;
@@ -1159,6 +1175,8 @@ skip_normal_probe:
epread = &data_interface->cur_altsetting->endpoint[0].desc;
epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
+ if (!epctrl || !epread || !epwrite)
+ return -ENODEV;
/* workaround for switched endpoints */
if (!usb_endpoint_dir_in(epread)) {
--
2.6.2
^ permalink raw reply related [flat|nested] 2+ messages in thread* Patch "cdc-acm: added sanity checking for probe()" has been added to the 4.7-stable tree
2016-09-08 9:27 [PATCH] cdc-acm: added sanity checking for probe() Oliver Neukum
@ 2016-09-09 14:37 ` gregkh
0 siblings, 0 replies; 2+ messages in thread
From: gregkh @ 2016-09-09 14:37 UTC (permalink / raw)
To: oneukum, bsharet, gregkh; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
cdc-acm: added sanity checking for probe()
to the 4.7-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
cdc-acm-added-sanity-checking-for-probe.patch
and it can be found in the queue-4.7 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From oneukum@suse.com Fri Sep 9 16:15:08 2016
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 8 Sep 2016 11:27:30 +0200
Subject: cdc-acm: added sanity checking for probe()
To: stable@vger.kernel.org, jslaby@suse.com
Cc: Oliver Neukum <oneukum@suse.com>
Message-ID: <1473326850-5056-1-git-send-email-oneukum@suse.com>
From: Oliver Neukum <oneukum@suse.com>
This is an alternative to eccf2a4e6b64d249929acc1f7aaa2ab0fb199d3d
which inadvertedly fixes an oops in probe by a device returning
malformed descriptors. The problem allows a malicious device to
attack the kernel.
That patch in v4.8 is too extensive to backport to stable.
Thus this alternative fix is needed up to v4.7
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: Binyamin Sharet <bsharet@cisco.com>
Tested-by: Binyamin Sharet <bsharet@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1196,6 +1196,8 @@ static int acm_probe(struct usb_interfac
}
if (!buflen) {
+ if (!intf->cur_altsetting || !intf->cur_altsetting->endpoint)
+ return -EINVAL;
if (intf->cur_altsetting->endpoint &&
intf->cur_altsetting->endpoint->extralen &&
intf->cur_altsetting->endpoint->extra) {
@@ -1276,6 +1278,8 @@ next_desc:
data_interface = usb_ifnum_to_if(usb_dev, (data_interface_num = call_interface_num));
control_interface = intf;
} else {
+ if (!intf->cur_altsetting)
+ return -ENODEV;
if (intf->cur_altsetting->desc.bNumEndpoints != 3) {
dev_dbg(&intf->dev,"No union descriptor, giving up\n");
return -ENODEV;
@@ -1305,15 +1309,22 @@ next_desc:
combined_interfaces = 1;
/* a popular other OS doesn't use it */
quirks |= NO_CAP_LINE;
+ if (!data_interface->cur_altsetting)
+ return -EINVAL;
if (data_interface->cur_altsetting->desc.bNumEndpoints != 3) {
dev_err(&intf->dev, "This needs exactly 3 endpoints\n");
return -EINVAL;
}
look_for_collapsed_interface:
+ if (!data_interface->cur_altsetting)
+ return -EINVAL;
for (i = 0; i < 3; i++) {
struct usb_endpoint_descriptor *ep;
ep = &data_interface->cur_altsetting->endpoint[i].desc;
+ if (!ep)
+ return -ENODEV;
+
if (usb_endpoint_is_int_in(ep))
epctrl = ep;
else if (usb_endpoint_is_bulk_out(ep))
@@ -1332,8 +1343,12 @@ look_for_collapsed_interface:
skip_normal_probe:
/*workaround for switched interfaces */
+ if (!data_interface->cur_altsetting)
+ return -EINVAL;
if (data_interface->cur_altsetting->desc.bInterfaceClass
!= CDC_DATA_INTERFACE_TYPE) {
+ if (!control_interface->cur_altsetting)
+ return -EINVAL;
if (control_interface->cur_altsetting->desc.bInterfaceClass
== CDC_DATA_INTERFACE_TYPE) {
dev_dbg(&intf->dev,
@@ -1356,6 +1371,7 @@ skip_normal_probe:
if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 ||
+ !control_interface->cur_altsetting ||
control_interface->cur_altsetting->desc.bNumEndpoints == 0)
return -EINVAL;
@@ -1363,6 +1379,8 @@ skip_normal_probe:
epread = &data_interface->cur_altsetting->endpoint[0].desc;
epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
+ if (!epctrl || !epread || !epwrite)
+ return -ENODEV;
/* workaround for switched endpoints */
if (!usb_endpoint_dir_in(epread)) {
Patches currently in stable-queue which might be from oneukum@suse.com are
queue-4.7/cdc-acm-added-sanity-checking-for-probe.patch
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-09-09 14:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-08 9:27 [PATCH] cdc-acm: added sanity checking for probe() Oliver Neukum
2016-09-09 14:37 ` Patch "cdc-acm: added sanity checking for probe()" has been added to the 4.7-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).