From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com ([134.134.136.24]:9445 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750797AbcCYDCm (ORCPT ); Thu, 24 Mar 2016 23:02:42 -0400 Subject: Re: [PATCH 01/10] USB: usb_driver_claim_interface: add sanity checking Cc: Oliver Neukum , stable@vger.kernel.org References: <1458874746-958-1-git-send-email-baolu.lu@linux.intel.com> From: Lu Baolu Message-ID: <56F4AA4E.5050001@linux.intel.com> Date: Fri, 25 Mar 2016 11:02:38 +0800 MIME-Version: 1.0 In-Reply-To: <1458874746-958-1-git-send-email-baolu.lu@linux.intel.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit To: unlisted-recipients:; (no To-header on input) Sender: stable-owner@vger.kernel.org List-ID: I am sorry. This email was sent out due to an incorrect operation. Please ignore it. I am sorry for disturbing you. Best regards, Baolu On 03/25/2016 10:58 AM, Lu Baolu wrote: > From: Oliver Neukum > > Attacks that trick drivers into passing a NULL pointer > to usb_driver_claim_interface() using forged descriptors are > known. This thwarts them by sanity checking. > > Signed-off-by: Oliver Neukum > CC: stable@vger.kernel.org > Signed-off-by: Greg Kroah-Hartman > --- > drivers/usb/core/driver.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c > index 56593a9..2057d91 100644 > --- a/drivers/usb/core/driver.c > +++ b/drivers/usb/core/driver.c > @@ -502,11 +502,15 @@ static int usb_unbind_interface(struct device *dev) > int usb_driver_claim_interface(struct usb_driver *driver, > struct usb_interface *iface, void *priv) > { > - struct device *dev = &iface->dev; > + struct device *dev; > struct usb_device *udev; > int retval = 0; > int lpm_disable_error; > > + if (!iface) > + return -ENODEV; > + > + dev = &iface->dev; > if (dev->driver) > return -EBUSY; >