* [PATCH 1/6] USB: idmouse: fix NULL-deref at probe
[not found] <20170313124753.28784-1-johan@kernel.org>
@ 2017-03-13 12:47 ` Johan Hovold
2017-03-13 12:47 ` [PATCH 2/6] USB: lvtest: " Johan Hovold
` (4 subsequent siblings)
5 siblings, 0 replies; 6+ messages in thread
From: Johan Hovold @ 2017-03-13 12:47 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-usb, linux-kernel, Johan Hovold, stable
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/usb/misc/idmouse.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c
index 8b9fd7534f69..502bfe30a077 100644
--- a/drivers/usb/misc/idmouse.c
+++ b/drivers/usb/misc/idmouse.c
@@ -347,6 +347,9 @@ static int idmouse_probe(struct usb_interface *interface,
if (iface_desc->desc.bInterfaceClass != 0x0A)
return -ENODEV;
+ if (iface_desc->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
/* allocate memory for our device state and initialize it */
dev = kzalloc(sizeof(*dev), GFP_KERNEL);
if (dev == NULL)
--
2.12.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/6] USB: lvtest: fix NULL-deref at probe
[not found] <20170313124753.28784-1-johan@kernel.org>
2017-03-13 12:47 ` [PATCH 1/6] USB: idmouse: fix NULL-deref at probe Johan Hovold
@ 2017-03-13 12:47 ` Johan Hovold
2017-03-13 12:47 ` [PATCH 3/6] USB: uss720: " Johan Hovold
` (3 subsequent siblings)
5 siblings, 0 replies; 6+ messages in thread
From: Johan Hovold @ 2017-03-13 12:47 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-usb, linux-kernel, Johan Hovold, stable, Pratyush Anand
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should the probed device lack endpoints.
Note that this driver does not bind to any devices by default.
Fixes: ce21bfe603b3 ("USB: Add LVS Test device driver")
Cc: stable <stable@vger.kernel.org> # 3.17
Cc: Pratyush Anand <pratyush.anand@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/usb/misc/lvstest.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/misc/lvstest.c b/drivers/usb/misc/lvstest.c
index 77176511658f..d3d124753266 100644
--- a/drivers/usb/misc/lvstest.c
+++ b/drivers/usb/misc/lvstest.c
@@ -366,6 +366,10 @@ static int lvs_rh_probe(struct usb_interface *intf,
hdev = interface_to_usbdev(intf);
desc = intf->cur_altsetting;
+
+ if (desc->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
endpoint = &desc->endpoint[0].desc;
/* valid only for SS root hub */
--
2.12.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/6] USB: uss720: fix NULL-deref at probe
[not found] <20170313124753.28784-1-johan@kernel.org>
2017-03-13 12:47 ` [PATCH 1/6] USB: idmouse: fix NULL-deref at probe Johan Hovold
2017-03-13 12:47 ` [PATCH 2/6] USB: lvtest: " Johan Hovold
@ 2017-03-13 12:47 ` Johan Hovold
2017-03-13 12:47 ` [PATCH 4/6] USB: wusbcore: " Johan Hovold
` (2 subsequent siblings)
5 siblings, 0 replies; 6+ messages in thread
From: Johan Hovold @ 2017-03-13 12:47 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-usb, linux-kernel, Johan Hovold, stable
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Note that the endpoint access that causes the NULL-deref is currently
only used for debugging purposes during probe so the oops only happens
when dynamic debugging is enabled. This means the driver could be
rewritten to continue to accept device with only two endpoints, should
such devices exist.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/usb/misc/uss720.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c
index e45a3a680db8..07014cad6dbe 100644
--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -709,6 +709,11 @@ static int uss720_probe(struct usb_interface *intf,
interface = intf->cur_altsetting;
+ if (interface->desc.bNumEndpoints < 3) {
+ usb_put_dev(usbdev);
+ return -ENODEV;
+ }
+
/*
* Allocate parport interface
*/
--
2.12.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/6] USB: wusbcore: fix NULL-deref at probe
[not found] <20170313124753.28784-1-johan@kernel.org>
` (2 preceding siblings ...)
2017-03-13 12:47 ` [PATCH 3/6] USB: uss720: " Johan Hovold
@ 2017-03-13 12:47 ` Johan Hovold
2017-03-13 12:47 ` [PATCH 5/6] uwb: hwa-rc: " Johan Hovold
2017-03-13 12:47 ` [PATCH 6/6] uwb: i1480-dfu: " Johan Hovold
5 siblings, 0 replies; 6+ messages in thread
From: Johan Hovold @ 2017-03-13 12:47 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-usb, linux-kernel, Johan Hovold, stable,
Inaky Perez-Gonzalez, David Vrabel
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
This specifically fixes the NULL-pointer dereference when probing HWA HC
devices.
Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core")
Cc: stable <stable@vger.kernel.org> # 2.6.28
Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
Cc: David Vrabel <david.vrabel@csr.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/usb/wusbcore/wa-hc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/wusbcore/wa-hc.c b/drivers/usb/wusbcore/wa-hc.c
index 252c7bd9218a..d01496fd27fe 100644
--- a/drivers/usb/wusbcore/wa-hc.c
+++ b/drivers/usb/wusbcore/wa-hc.c
@@ -39,6 +39,9 @@ int wa_create(struct wahc *wa, struct usb_interface *iface,
int result;
struct device *dev = &iface->dev;
+ if (iface->cur_altsetting->desc.bNumEndpoints < 3)
+ return -ENODEV;
+
result = wa_rpipes_create(wa);
if (result < 0)
goto error_rpipes_create;
--
2.12.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 5/6] uwb: hwa-rc: fix NULL-deref at probe
[not found] <20170313124753.28784-1-johan@kernel.org>
` (3 preceding siblings ...)
2017-03-13 12:47 ` [PATCH 4/6] USB: wusbcore: " Johan Hovold
@ 2017-03-13 12:47 ` Johan Hovold
2017-03-13 12:47 ` [PATCH 6/6] uwb: i1480-dfu: " Johan Hovold
5 siblings, 0 replies; 6+ messages in thread
From: Johan Hovold @ 2017-03-13 12:47 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-usb, linux-kernel, Johan Hovold, stable,
Inaky Perez-Gonzalez, David Vrabel
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.
Note that the dereference happens in the start callback which is called
during probe.
Fixes: de520b8bd552 ("uwb: add HWA radio controller driver")
Cc: stable <stable@vger.kernel.org> # 2.6.28
Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
Cc: David Vrabel <david.vrabel@csr.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/uwb/hwa-rc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/uwb/hwa-rc.c b/drivers/uwb/hwa-rc.c
index 0aa6c3c29d17..35a1e777b449 100644
--- a/drivers/uwb/hwa-rc.c
+++ b/drivers/uwb/hwa-rc.c
@@ -823,6 +823,9 @@ static int hwarc_probe(struct usb_interface *iface,
struct hwarc *hwarc;
struct device *dev = &iface->dev;
+ if (iface->cur_altsetting->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
result = -ENOMEM;
uwb_rc = uwb_rc_alloc();
if (uwb_rc == NULL) {
--
2.12.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 6/6] uwb: i1480-dfu: fix NULL-deref at probe
[not found] <20170313124753.28784-1-johan@kernel.org>
` (4 preceding siblings ...)
2017-03-13 12:47 ` [PATCH 5/6] uwb: hwa-rc: " Johan Hovold
@ 2017-03-13 12:47 ` Johan Hovold
5 siblings, 0 replies; 6+ messages in thread
From: Johan Hovold @ 2017-03-13 12:47 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-usb, linux-kernel, Johan Hovold, stable,
Inaky Perez-Gonzalez, David Vrabel
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.
Note that the dereference happens in the cmd and wait_init_done
callbacks which are called during probe.
Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver")
Cc: stable <stable@vger.kernel.org> # 2.6.28
Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
Cc: David Vrabel <david.vrabel@csr.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/uwb/i1480/dfu/usb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/uwb/i1480/dfu/usb.c b/drivers/uwb/i1480/dfu/usb.c
index 2bfc846ac071..6345e85822a4 100644
--- a/drivers/uwb/i1480/dfu/usb.c
+++ b/drivers/uwb/i1480/dfu/usb.c
@@ -362,6 +362,9 @@ int i1480_usb_probe(struct usb_interface *iface, const struct usb_device_id *id)
result);
}
+ if (iface->cur_altsetting->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
result = -ENOMEM;
i1480_usb = kzalloc(sizeof(*i1480_usb), GFP_KERNEL);
if (i1480_usb == NULL) {
--
2.12.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-03-13 12:48 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20170313124753.28784-1-johan@kernel.org>
2017-03-13 12:47 ` [PATCH 1/6] USB: idmouse: fix NULL-deref at probe Johan Hovold
2017-03-13 12:47 ` [PATCH 2/6] USB: lvtest: " Johan Hovold
2017-03-13 12:47 ` [PATCH 3/6] USB: uss720: " Johan Hovold
2017-03-13 12:47 ` [PATCH 4/6] USB: wusbcore: " Johan Hovold
2017-03-13 12:47 ` [PATCH 5/6] uwb: hwa-rc: " Johan Hovold
2017-03-13 12:47 ` [PATCH 6/6] uwb: i1480-dfu: " Johan Hovold
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).