[PATCH 1/5] USB: serial: io_ti: fix NULL-deref in interrupt callback

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 1/5] USB: serial: io_ti: fix NULL-deref in interrupt callback
       [not found] <20170306163641.3673-1-johan@kernel.org>
@ 2017-03-06 16:36 ` Johan Hovold
  2017-03-06 16:36 ` [PATCH 2/5] USB: serial: omninet: fix reference leaks at open Johan Hovold
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2017-03-06 16:36 UTC (permalink / raw)
  To: linux-usb; +Cc: Johan Hovold, stable

Fix a NULL-pointer dereference in the interrupt callback should a
malicious device send data containing a bad port number by adding the
missing sanity check.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/serial/io_ti.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index ceaeebaa6f90..4561dd4cde8b 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1674,6 +1674,12 @@ static void edge_interrupt_callback(struct urb *urb)
 	function    = TIUMP_GET_FUNC_FROM_CODE(data[0]);
 	dev_dbg(dev, "%s - port_number %d, function %d, info 0x%x\n", __func__,
 		port_number, function, data[1]);
+
+	if (port_number >= edge_serial->serial->num_ports) {
+		dev_err(dev, "bad port number %d\n", port_number);
+		goto exit;
+	}
+
 	port = edge_serial->serial->port[port_number];
 	edge_port = usb_get_serial_port_data(port);
 	if (!edge_port) {
-- 
2.12.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/5] USB: serial: omninet: fix reference leaks at open
       [not found] <20170306163641.3673-1-johan@kernel.org>
  2017-03-06 16:36 ` [PATCH 1/5] USB: serial: io_ti: fix NULL-deref in interrupt callback Johan Hovold
@ 2017-03-06 16:36 ` Johan Hovold
  2017-03-06 16:36 ` [PATCH 4/5] USB: serial: io_ti: fix information leak in completion handler Johan Hovold
  2017-03-06 16:36 ` [PATCH 5/5] USB: serial: safe_serial: " Johan Hovold
  3 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2017-03-06 16:36 UTC (permalink / raw)
  To: linux-usb; +Cc: Johan Hovold, stable # 2 . 6 . 28

This driver needlessly took another reference to the tty on open, a
reference which was then never released on close. This lead to not just
a leak of the tty, but also a driver reference leak that prevented the
driver from being unloaded after a port had once been opened.

Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
Cc: stable <stable@vger.kernel.org>	# 2.6.28
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/serial/omninet.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/drivers/usb/serial/omninet.c b/drivers/usb/serial/omninet.c
index a180b17d2432..76564b3bebb9 100644
--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -142,12 +142,6 @@ static int omninet_port_remove(struct usb_serial_port *port)
 
 static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port)
 {
-	struct usb_serial	*serial = port->serial;
-	struct usb_serial_port	*wport;
-
-	wport = serial->port[1];
-	tty_port_tty_set(&wport->port, tty);
-
 	return usb_serial_generic_open(tty, port);
 }
 
-- 
2.12.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 4/5] USB: serial: io_ti: fix information leak in completion handler
       [not found] <20170306163641.3673-1-johan@kernel.org>
  2017-03-06 16:36 ` [PATCH 1/5] USB: serial: io_ti: fix NULL-deref in interrupt callback Johan Hovold
  2017-03-06 16:36 ` [PATCH 2/5] USB: serial: omninet: fix reference leaks at open Johan Hovold
@ 2017-03-06 16:36 ` Johan Hovold
  2017-03-06 16:36 ` [PATCH 5/5] USB: serial: safe_serial: " Johan Hovold
  3 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2017-03-06 16:36 UTC (permalink / raw)
  To: linux-usb; +Cc: Johan Hovold, stable # 2 . 6 . 30

Add missing sanity check to the bulk-in completion handler to avoid an
integer underflow that can be triggered by a malicious device.

This avoids leaking 128 kB of memory content from after the URB transfer
buffer to user space.

Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>	# 2.6.30
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/serial/io_ti.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index 4561dd4cde8b..a76b95d32157 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1761,7 +1761,7 @@ static void edge_bulk_in_callback(struct urb *urb)
 
 	port_number = edge_port->port->port_number;
 
-	if (edge_port->lsr_event) {
+	if (urb->actual_length > 0 && edge_port->lsr_event) {
 		edge_port->lsr_event = 0;
 		dev_dbg(dev, "%s ===== Port %u LSR Status = %02x, Data = %02x ======\n",
 			__func__, port_number, edge_port->lsr_mask, *data);
-- 
2.12.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 5/5] USB: serial: safe_serial: fix information leak in completion handler
       [not found] <20170306163641.3673-1-johan@kernel.org>
                   ` (2 preceding siblings ...)
  2017-03-06 16:36 ` [PATCH 4/5] USB: serial: io_ti: fix information leak in completion handler Johan Hovold
@ 2017-03-06 16:36 ` Johan Hovold
  3 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2017-03-06 16:36 UTC (permalink / raw)
  To: linux-usb; +Cc: Johan Hovold, stable

Add missing sanity check to the bulk-in completion handler to avoid an
integer underflow that could be triggered by a malicious device.

This avoids leaking up to 56 bytes from after the URB transfer buffer to
user space.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/serial/safe_serial.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/serial/safe_serial.c b/drivers/usb/serial/safe_serial.c
index 93c6c9b08daa..8a069aa154ed 100644
--- a/drivers/usb/serial/safe_serial.c
+++ b/drivers/usb/serial/safe_serial.c
@@ -200,6 +200,11 @@ static void safe_process_read_urb(struct urb *urb)
 	if (!safe)
 		goto out;
 
+	if (length < 2) {
+		dev_err(&port->dev, "malformed packet\n");
+		return;
+	}
+
 	fcs = fcs_compute10(data, length, CRC10_INITFCS);
 	if (fcs) {
 		dev_err(&port->dev, "%s - bad CRC %x\n", __func__, fcs);
-- 
2.12.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-03-06 17:04 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20170306163641.3673-1-johan@kernel.org>
2017-03-06 16:36 ` [PATCH 1/5] USB: serial: io_ti: fix NULL-deref in interrupt callback Johan Hovold
2017-03-06 16:36 ` [PATCH 2/5] USB: serial: omninet: fix reference leaks at open Johan Hovold
2017-03-06 16:36 ` [PATCH 4/5] USB: serial: io_ti: fix information leak in completion handler Johan Hovold
2017-03-06 16:36 ` [PATCH 5/5] USB: serial: safe_serial: " Johan Hovold

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).