diff options
| author | Johan Hovold <johan@kernel.org> | 2015-09-23 11:41:42 -0700 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2015-10-13 03:46:11 +0100 |
| commit | cbea57119272755ccfd710fdaf4669ae05512b02 (patch) | |
| tree | 1fe120ea2a33794bd38d2afbd3e9dc408150ed5c | |
| parent | 307c6c27d5de3b44965cdba2a69e1d5f922a01c1 (diff) | |
| download | kernel_samsung_smdk4412-cbea57119272755ccfd710fdaf4669ae05512b02.zip kernel_samsung_smdk4412-cbea57119272755ccfd710fdaf4669ae05512b02.tar.gz kernel_samsung_smdk4412-cbea57119272755ccfd710fdaf4669ae05512b02.tar.bz2 | |
USB: whiteheat: fix potential null-deref at probe
commit cbb4be652d374f64661137756b8f357a1827d6a4 upstream.
Fix potential null-pointer dereference at probe by making sure that the
required endpoints are present.
The whiteheat driver assumes there are at least five pairs of bulk
endpoints, of which the final pair is used for the "command port". An
attempt to bind to an interface with fewer bulk endpoints would
currently lead to an oops.
Fixes CVE-2015-5257.
Reported-by: Moein Ghasemzadeh <moein@istuary.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| -rw-r--r-- | drivers/usb/serial/whiteheat.c | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c index 5481809..75670b5 100644 --- a/drivers/usb/serial/whiteheat.c +++ b/drivers/usb/serial/whiteheat.c @@ -143,6 +143,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial, static int whiteheat_firmware_attach(struct usb_serial *serial); /* function prototypes for the Connect Tech WhiteHEAT serial converter */ +static int whiteheat_probe(struct usb_serial *serial, + const struct usb_device_id *id); static int whiteheat_attach(struct usb_serial *serial); static void whiteheat_release(struct usb_serial *serial); static int whiteheat_open(struct tty_struct *tty, @@ -188,6 +190,7 @@ static struct usb_serial_driver whiteheat_device = { .usb_driver = &whiteheat_driver, .id_table = id_table_std, .num_ports = 4, + .probe = whiteheat_probe, .attach = whiteheat_attach, .release = whiteheat_release, .open = whiteheat_open, @@ -387,6 +390,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial) /***************************************************************************** * Connect Tech's White Heat serial driver functions *****************************************************************************/ + +static int whiteheat_probe(struct usb_serial *serial, + const struct usb_device_id *id) +{ + struct usb_host_interface *iface_desc; + struct usb_endpoint_descriptor *endpoint; + size_t num_bulk_in = 0; + size_t num_bulk_out = 0; + size_t min_num_bulk; + unsigned int i; + + iface_desc = serial->interface->cur_altsetting; + + for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) { + endpoint = &iface_desc->endpoint[i].desc; + if (usb_endpoint_is_bulk_in(endpoint)) + ++num_bulk_in; + if (usb_endpoint_is_bulk_out(endpoint)) + ++num_bulk_out; + } + + min_num_bulk = COMMAND_PORT + 1; + if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk) + return -ENODEV; + + return 0; +} + static int whiteheat_attach(struct usb_serial *serial) { struct usb_serial_port *command_port; |