From patchwork Tue Mar 29 17:25:46 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kamal Mostafa <kamal@canonical.com>
X-Patchwork-Id: 603094
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3qZHk16GvGz9s5g;
	Wed, 30 Mar 2016 04:26:01 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1akxOu-0004c7-W3; Tue, 29 Mar 2016 17:25:56 +0000
Received: from mail-pf0-f194.google.com ([209.85.192.194])
	by huckleberry.canonical.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
	(Exim 4.76) (envelope-from <kamal@whence.com>) id 1akxOp-0004ZH-9M
	for kernel-team@lists.ubuntu.com; Tue, 29 Mar 2016 17:25:51 +0000
Received: by mail-pf0-f194.google.com with SMTP id n5so3461584pfn.1
	for <kernel-team@lists.ubuntu.com>;
	Tue, 29 Mar 2016 10:25:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=f3rpXeylWWvfpmrU76neyUjGMeBuFS5VmnuCpjBnALM=;
	b=giJk1trQepDEI9U982NInNIQHi+YTkaax/RAf7dsqzCj8eBPI43jdJgyUH3FnkOvk5
	w1WoTQXhNWyXuB8A5C60YncIWy+1HqZfvpF2kiaewcrOm/9nD5vlkqeTk14sbzSTd9Bo
	Z8NCnoSEvFyipGuIPsjCSs5boCosgqxl0n7nQmxMtpBogTT8xDpIrD+O1IQVc87MmNho
	73QYd5nfIpLAYff+o1dirqjswHVnsMDK+h56q6mUHDG83528LitUNYX75umcUEZvSjWw
	kLNtMi+fKtURbtaoeQjzcVX3Q1riV1NHHPA5OPxvUHlGnlsucfU+df+HCg6mPgQWTCIQ
	hBVA==
X-Gm-Message-State: 
 AD7BkJLMR5B5JutCwdDWkndPIr7UkG7jajg3oLvnFN3B1LyEjErdSJ0gXClPw59QRbPOhA==
X-Received: by 10.98.44.73 with SMTP id s70mr5441392pfs.2.1459272349899;
	Tue, 29 Mar 2016 10:25:49 -0700 (PDT)
Received: from fourier (c-76-126-59-13.hsd1.ca.comcast.net. [76.126.59.13])
	by smtp.gmail.com with ESMTPSA id
	u64sm44600188pfa.86.2016.03.29.10.25.49
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 29 Mar 2016 10:25:49 -0700 (PDT)
Received: from kamal by fourier with local (Exim 4.86_2)
	(envelope-from <kamal@whence.com>)
	id 1akxOl-0000Kf-Q5; Tue, 29 Mar 2016 10:25:47 -0700
From: Kamal Mostafa <kamal@canonical.com>
To: Josh Boyer <jwboyer@fedoraproject.org>
Subject: [4.2.y-ckt stable] Patch "USB: iowarrior: fix oops with malicious
	USB descriptors" has been added to the 4.2.y-ckt tree
Date: Tue, 29 Mar 2016 10:25:46 -0700
Message-Id: <1459272346-1241-1-git-send-email-kamal@canonical.com>
X-Mailer: git-send-email 2.7.4
X-Extended-Stable: 4.2
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Ralf Spenneberg <ralf@spenneberg.net>,
	Kamal Mostafa <kamal@canonical.com>, kernel-team@lists.ubuntu.com
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

This is a note to let you know that I have just added a patch titled

    USB: iowarrior: fix oops with malicious USB descriptors

to the linux-4.2.y-queue branch of the 4.2.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2.y-queue

This patch is scheduled to be released in version 4.2.8-ckt7.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 4.2.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

---8<------------------------------------------------------------

From 12469f7e0900dfbd01ed7289a68a7866d6a0f6be Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mon, 14 Mar 2016 10:42:38 -0400
Subject: USB: iowarrior: fix oops with malicious USB descriptors

commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.

The iowarrior driver expects at least one valid endpoint.  If given
malicious descriptors that specify 0 for the number of endpoints,
it will crash in the probe function.  Ensure there is at least
one endpoint on the interface before using it.

The full report of this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/87

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/misc/iowarrior.c | 6 ++++++
 1 file changed, 6 insertions(+)

--
2.7.4

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index c6bfd13..1950e87 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
 	iface_desc = interface->cur_altsetting;
 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);

+	if (iface_desc->desc.bNumEndpoints < 1) {
+		dev_err(&interface->dev, "Invalid number of endpoints\n");
+		retval = -EINVAL;
+		goto error;
+	}
+
 	/* set up the endpoint information */
 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
 		endpoint = &iface_desc->endpoint[i].desc;