Commit 382089ca authored by Oliver Neukum's avatar Oliver Neukum Committed by Greg Kroah-Hartman

cdc-acm: added sanity checking for probe()

This is an alternative to eccf2a4e
which inadvertedly fixes an oops in probe by a device returning
malformed descriptors. The problem allows a malicious device to
attack the kernel.
That patch in v4.8 is too extensive to backport to stable.
Thus this alternative fix is needed up to v4.7
Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
Reported-by: default avatarBinyamin Sharet <bsharet@cisco.com>
Tested-by: default avatarBinyamin Sharet <bsharet@cisco.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 2f9fb256
...@@ -1196,6 +1196,8 @@ static int acm_probe(struct usb_interface *intf, ...@@ -1196,6 +1196,8 @@ static int acm_probe(struct usb_interface *intf,
} }
if (!buflen) { if (!buflen) {
if (!intf->cur_altsetting || !intf->cur_altsetting->endpoint)
return -EINVAL;
if (intf->cur_altsetting->endpoint && if (intf->cur_altsetting->endpoint &&
intf->cur_altsetting->endpoint->extralen && intf->cur_altsetting->endpoint->extralen &&
intf->cur_altsetting->endpoint->extra) { intf->cur_altsetting->endpoint->extra) {
...@@ -1276,6 +1278,8 @@ static int acm_probe(struct usb_interface *intf, ...@@ -1276,6 +1278,8 @@ static int acm_probe(struct usb_interface *intf,
data_interface = usb_ifnum_to_if(usb_dev, (data_interface_num = call_interface_num)); data_interface = usb_ifnum_to_if(usb_dev, (data_interface_num = call_interface_num));
control_interface = intf; control_interface = intf;
} else { } else {
if (!intf->cur_altsetting)
return -ENODEV;
if (intf->cur_altsetting->desc.bNumEndpoints != 3) { if (intf->cur_altsetting->desc.bNumEndpoints != 3) {
dev_dbg(&intf->dev,"No union descriptor, giving up\n"); dev_dbg(&intf->dev,"No union descriptor, giving up\n");
return -ENODEV; return -ENODEV;
...@@ -1305,15 +1309,22 @@ static int acm_probe(struct usb_interface *intf, ...@@ -1305,15 +1309,22 @@ static int acm_probe(struct usb_interface *intf,
combined_interfaces = 1; combined_interfaces = 1;
/* a popular other OS doesn't use it */ /* a popular other OS doesn't use it */
quirks |= NO_CAP_LINE; quirks |= NO_CAP_LINE;
if (!data_interface->cur_altsetting)
return -EINVAL;
if (data_interface->cur_altsetting->desc.bNumEndpoints != 3) { if (data_interface->cur_altsetting->desc.bNumEndpoints != 3) {
dev_err(&intf->dev, "This needs exactly 3 endpoints\n"); dev_err(&intf->dev, "This needs exactly 3 endpoints\n");
return -EINVAL; return -EINVAL;
} }
look_for_collapsed_interface: look_for_collapsed_interface:
if (!data_interface->cur_altsetting)
return -EINVAL;
for (i = 0; i < 3; i++) { for (i = 0; i < 3; i++) {
struct usb_endpoint_descriptor *ep; struct usb_endpoint_descriptor *ep;
ep = &data_interface->cur_altsetting->endpoint[i].desc; ep = &data_interface->cur_altsetting->endpoint[i].desc;
if (!ep)
return -ENODEV;
if (usb_endpoint_is_int_in(ep)) if (usb_endpoint_is_int_in(ep))
epctrl = ep; epctrl = ep;
else if (usb_endpoint_is_bulk_out(ep)) else if (usb_endpoint_is_bulk_out(ep))
...@@ -1332,8 +1343,12 @@ static int acm_probe(struct usb_interface *intf, ...@@ -1332,8 +1343,12 @@ static int acm_probe(struct usb_interface *intf,
skip_normal_probe: skip_normal_probe:
/*workaround for switched interfaces */ /*workaround for switched interfaces */
if (!data_interface->cur_altsetting)
return -EINVAL;
if (data_interface->cur_altsetting->desc.bInterfaceClass if (data_interface->cur_altsetting->desc.bInterfaceClass
!= CDC_DATA_INTERFACE_TYPE) { != CDC_DATA_INTERFACE_TYPE) {
if (!control_interface->cur_altsetting)
return -EINVAL;
if (control_interface->cur_altsetting->desc.bInterfaceClass if (control_interface->cur_altsetting->desc.bInterfaceClass
== CDC_DATA_INTERFACE_TYPE) { == CDC_DATA_INTERFACE_TYPE) {
dev_dbg(&intf->dev, dev_dbg(&intf->dev,
...@@ -1356,6 +1371,7 @@ static int acm_probe(struct usb_interface *intf, ...@@ -1356,6 +1371,7 @@ static int acm_probe(struct usb_interface *intf,
if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 || if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 ||
!control_interface->cur_altsetting ||
control_interface->cur_altsetting->desc.bNumEndpoints == 0) control_interface->cur_altsetting->desc.bNumEndpoints == 0)
return -EINVAL; return -EINVAL;
...@@ -1363,6 +1379,8 @@ static int acm_probe(struct usb_interface *intf, ...@@ -1363,6 +1379,8 @@ static int acm_probe(struct usb_interface *intf,
epread = &data_interface->cur_altsetting->endpoint[0].desc; epread = &data_interface->cur_altsetting->endpoint[0].desc;
epwrite = &data_interface->cur_altsetting->endpoint[1].desc; epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
if (!epctrl || !epread || !epwrite)
return -ENODEV;
/* workaround for switched endpoints */ /* workaround for switched endpoints */
if (!usb_endpoint_dir_in(epread)) { if (!usb_endpoint_dir_in(epread)) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment