From patchwork Tue Mar 29 17:23:04 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kamal Mostafa <kamal@canonical.com>
X-Patchwork-Id: 603086
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3qZHfz4qcHz9sBf;
	Wed, 30 Mar 2016 04:23:23 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1akxMP-0004NU-Kd; Tue, 29 Mar 2016 17:23:21 +0000
Received: from mail-pf0-f195.google.com ([209.85.192.195])
	by huckleberry.canonical.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
	(Exim 4.76) (envelope-from <kamal@whence.com>) id 1akxMC-0004HO-Lf
	for kernel-team@lists.ubuntu.com; Tue, 29 Mar 2016 17:23:08 +0000
Received: by mail-pf0-f195.google.com with SMTP id q129so3538679pfb.3
	for <kernel-team@lists.ubuntu.com>;
	Tue, 29 Mar 2016 10:23:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=AXHay8ima9zk1fSgtlEV4s4kC95ErHjP1HgtzUElXg8=;
	b=GJvZL3RyZzK2xYIozFN6sF4pEndfD7S1pC3a98fXTXBJr+GHaF6duSiCNgE/KNIg3P
	TSnR4HK+38+AOOP98hbIlL0HSVA/gz30QGt/68QKSxe6OjHoW0Ib4LYYBlBkuT798G6o
	Wu/zbfGndigKynVXA+cgFi480pJWUhvXzUkBuk0ZW00XDFkPZHiR4KbwJOx1CwJNu3tw
	9ruqEeGnGbLiDJPLbrWtDPWLMSPUqE5GTvrq4T8C2QTurR6lRhb6PPWFsRMpWZzl+xHl
	qCYhnTbgqwz839KEp3Q36mJwokf+lwK3mooi5lPsVwhFD5voR198Tf/Z1d0ZbANhLG2h
	IUTA==
X-Gm-Message-State: 
 AD7BkJL9JVmUMU/ojQKDwN5uGaBcKFxWTSyYilT5IKa+1OI9rZO/ej/6he2zB/DhQv/gOw==
X-Received: by 10.98.32.136 with SMTP id m8mr5360295pfj.11.1459272187372;
	Tue, 29 Mar 2016 10:23:07 -0700 (PDT)
Received: from fourier (c-76-126-59-13.hsd1.ca.comcast.net. [76.126.59.13])
	by smtp.gmail.com with ESMTPSA id
	p74sm7267501pfj.22.2016.03.29.10.23.06
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 29 Mar 2016 10:23:06 -0700 (PDT)
Received: from kamal by fourier with local (Exim 4.86_2)
	(envelope-from <kamal@whence.com>)
	id 1akxM9-00009I-8A; Tue, 29 Mar 2016 10:23:05 -0700
From: Kamal Mostafa <kamal@canonical.com>
To: Vladis Dronov <vdronov@redhat.com>
Subject: [3.19.y-ckt stable] Patch "Input: ati_remote2 - fix crashes on
	detecting device with invalid descriptor" has been added to the
	3.19.y-ckt tree
Date: Tue, 29 Mar 2016 10:23:04 -0700
Message-Id: <1459272184-537-1-git-send-email-kamal@canonical.com>
X-Mailer: git-send-email 2.7.4
X-Extended-Stable: 3.19
Cc: Ralf Spenneberg <ralf@spenneberg.net>,
	Dmitry Torokhov <dmitry.torokhov@gmail.com>,
	Kamal Mostafa <kamal@canonical.com>, kernel-team@lists.ubuntu.com
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

This is a note to let you know that I have just added a patch titled

    Input: ati_remote2 - fix crashes on detecting device with invalid descriptor

to the linux-3.19.y-queue branch of the 3.19.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.19.y-queue

This patch is scheduled to be released in version 3.18.8-ckt18.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.19.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

---8<------------------------------------------------------------

From b76980dad04339242b85b6691ea74873e780421a Mon Sep 17 00:00:00 2001
From: Vladis Dronov <vdronov@redhat.com>
Date: Wed, 23 Mar 2016 11:53:46 -0700
Subject: Input: ati_remote2 - fix crashes on detecting device with invalid
 descriptor

commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d upstream.

The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.

The full disclosure: http://seclists.org/bugtraq/2016/Mar/90

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

--
2.7.4

diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
index f63341f..e8c6a48 100644
--- a/drivers/input/misc/ati_remote2.c
+++ b/drivers/input/misc/ati_remote2.c
@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d

 	ar2->udev = udev;

+	/* Sanity check, first interface must have an endpoint */
+	if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+		dev_err(&interface->dev,
+			"%s(): interface 0 must have an endpoint\n", __func__);
+		r = -ENODEV;
+		goto fail1;
+	}
 	ar2->intf[0] = interface;
 	ar2->ep[0] = &alt->endpoint[0].desc;

+	/* Sanity check, the device must have two interfaces */
 	ar2->intf[1] = usb_ifnum_to_if(udev, 1);
+	if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
+		dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
+			__func__, udev->actconfig->desc.bNumInterfaces);
+		r = -ENODEV;
+		goto fail1;
+	}
+
 	r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
 	if (r)
 		goto fail1;
+
+	/* Sanity check, second interface must have an endpoint */
 	alt = ar2->intf[1]->cur_altsetting;
+	if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+		dev_err(&interface->dev,
+			"%s(): interface 1 must have an endpoint\n", __func__);
+		r = -ENODEV;
+		goto fail2;
+	}
 	ar2->ep[1] = &alt->endpoint[0].desc;

 	r = ati_remote2_urb_init(ar2);
 	if (r)
-		goto fail2;
+		goto fail3;

 	ar2->channel_mask = channel_mask;
 	ar2->mode_mask = mode_mask;

 	r = ati_remote2_setup(ar2, ar2->channel_mask);
 	if (r)
-		goto fail2;
+		goto fail3;

 	usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
 	strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d

 	r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
 	if (r)
-		goto fail2;
+		goto fail3;

 	r = ati_remote2_input_init(ar2);
 	if (r)
-		goto fail3;
+		goto fail4;

 	usb_set_intfdata(interface, ar2);

@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d

 	return 0;

- fail3:
+ fail4:
 	sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
- fail2:
+ fail3:
 	ati_remote2_urb_cleanup(ar2);
+ fail2:
 	usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
  fail1:
 	kfree(ar2);