From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:45304 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751738AbdC0Qin (ORCPT ); Mon, 27 Mar 2017 12:38:43 -0400 Subject: Patch "USB: uss720: fix NULL-deref at probe" has been added to the 4.10-stable tree To: johan@kernel.org, gregkh@linuxfoundation.org Cc: , From: Date: Mon, 27 Mar 2017 18:37:50 +0200 Message-ID: <149063267016110@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled USB: uss720: fix NULL-deref at probe to the 4.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: usb-uss720-fix-null-deref-at-probe.patch and it can be found in the queue-4.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Mon, 13 Mar 2017 13:47:50 +0100 Subject: USB: uss720: fix NULL-deref at probe From: Johan Hovold commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream. Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer or accessing memory beyond the endpoint array should a malicious device lack the expected endpoints. Note that the endpoint access that causes the NULL-deref is currently only used for debugging purposes during probe so the oops only happens when dynamic debugging is enabled. This means the driver could be rewritten to continue to accept device with only two endpoints, should such devices exist. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/uss720.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/usb/misc/uss720.c +++ b/drivers/usb/misc/uss720.c @@ -708,6 +708,11 @@ static int uss720_probe(struct usb_inter interface = intf->cur_altsetting; + if (interface->desc.bNumEndpoints < 3) { + usb_put_dev(usbdev); + return -ENODEV; + } + /* * Allocate parport interface */ Patches currently in stable-queue which might be from johan@kernel.org are queue-4.10/usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch queue-4.10/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch queue-4.10/usb-usbtmc-add-missing-endpoint-sanity-check.patch queue-4.10/input-cm109-validate-number-of-endpoints-before-using-them.patch queue-4.10/input-iforce-validate-number-of-endpoints-before-using-them.patch queue-4.10/mmc-ushc-fix-null-deref-at-probe.patch queue-4.10/input-kbtab-validate-number-of-endpoints-before-using-them.patch queue-4.10/usb-usbtmc-fix-probe-error-path.patch queue-4.10/input-sur40-validate-number-of-endpoints-before-using-them.patch queue-4.10/uwb-i1480-dfu-fix-null-deref-at-probe.patch queue-4.10/input-hanwang-validate-number-of-endpoints-before-using-them.patch queue-4.10/usb-idmouse-fix-null-deref-at-probe.patch queue-4.10/uwb-hwa-rc-fix-null-deref-at-probe.patch queue-4.10/usb-lvtest-fix-null-deref-at-probe.patch queue-4.10/input-yealink-validate-number-of-endpoints-before-using-them.patch queue-4.10/usb-serial-qcserial-add-dell-dw5811e.patch queue-4.10/usb-uss720-fix-null-deref-at-probe.patch queue-4.10/usb-wusbcore-fix-null-deref-at-probe.patch