From patchwork Tue Mar 29 17:22:58 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamal Mostafa X-Patchwork-Id: 603085 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3qZHfw5WGRz9sBm; Wed, 30 Mar 2016 04:23:20 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1akxMM-0004Ln-E1; Tue, 29 Mar 2016 17:23:18 +0000 Received: from mail-pf0-f196.google.com ([209.85.192.196]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.76) (envelope-from ) id 1akxM7-0004GA-DG for kernel-team@lists.ubuntu.com; Tue, 29 Mar 2016 17:23:03 +0000 Received: by mail-pf0-f196.google.com with SMTP id q129so3538230pfb.3 for ; Tue, 29 Mar 2016 10:23:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=PvOb1yeQPoTjnhsz4zWJukQ1a2bSmnNjD1XWABFxi34=; b=L1TdTREBbbnjWDUQcn5NfqWl8jWWfqYANg/T01WP3SxuI25zLUnnxDq+eM6tpHwHJi kxtnZW8Io71YKrgvyvUtqzYz4qpZE2yceg2QyBhIXHuRysc+1KwFtiKlKOiwYhVLzLqO 8YbTCM9OuRg+SXxUkM6YYkLB+LbUp0ytpm8pwuTWQLxwfSgoT/GxXZO2as1F/+EWFbqv TJyA+p53yM7jtYXX+HL0REKxXuAvUD1eVkMqPlUJ5jhI+UDbE7B8VTf9HTcHXQHcSIzl RZ89WkETiZu+7k5VV0qDwKyaMrdqX5mErz1EXf6G3QwRILR9j5qEhyibefAvAE6qPP+6 7CDg== X-Gm-Message-State: AD7BkJLTFqbrQYFIXkWgtYh2Lpa92ia5HJNsaKgJHRHMamckb1dl4bVZxY3bJ3XhOI+nvA== X-Received: by 10.98.33.208 with SMTP id o77mr5455859pfj.108.1459272182130; Tue, 29 Mar 2016 10:23:02 -0700 (PDT) Received: from fourier (c-76-126-59-13.hsd1.ca.comcast.net. [76.126.59.13]) by smtp.gmail.com with ESMTPSA id wb7sm44693101pab.3.2016.03.29.10.23.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Mar 2016 10:23:01 -0700 (PDT) Received: from kamal by fourier with local (Exim 4.86_2) (envelope-from ) id 1akxM3-00006I-UO; Tue, 29 Mar 2016 10:22:59 -0700 From: Kamal Mostafa To: Josh Boyer Subject: [3.19.y-ckt stable] Patch "USB: iowarrior: fix oops with malicious USB descriptors" has been added to the 3.19.y-ckt tree Date: Tue, 29 Mar 2016 10:22:58 -0700 Message-Id: <1459272178-350-1-git-send-email-kamal@canonical.com> X-Mailer: git-send-email 2.7.4 X-Extended-Stable: 3.19 Cc: Greg Kroah-Hartman , Ralf Spenneberg , Kamal Mostafa , kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled USB: iowarrior: fix oops with malicious USB descriptors to the linux-3.19.y-queue branch of the 3.19.y-ckt extended stable tree which can be found at: http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.19.y-queue This patch is scheduled to be released in version 3.18.8-ckt18. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.19.y-ckt tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ---8<------------------------------------------------------------ From 3885b30ce8af74418ecfb2e864c4f6e900384d0a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 14 Mar 2016 10:42:38 -0400 Subject: USB: iowarrior: fix oops with malicious USB descriptors commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream. The iowarrior driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it. The full report of this issue can be found here: http://seclists.org/bugtraq/2016/Mar/87 Reported-by: Ralf Spenneberg Signed-off-by: Josh Boyer Signed-off-by: Greg Kroah-Hartman Signed-off-by: Kamal Mostafa --- drivers/usb/misc/iowarrior.c | 6 ++++++ 1 file changed, 6 insertions(+) -- 2.7.4 diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index c6bfd13..1950e87 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface, iface_desc = interface->cur_altsetting; dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + if (iface_desc->desc.bNumEndpoints < 1) { + dev_err(&interface->dev, "Invalid number of endpoints\n"); + retval = -EINVAL; + goto error; + } + /* set up the endpoint information */ for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;