Commit e60479e0 authored by Vladis Dronov's avatar Vladis Dronov Committed by Tim Gardner

Input: ati_remote2 - fix crashes on detecting device with invalid descriptor

BugLink: http://bugs.launchpad.net/bugs/1572722

commit 950336ba upstream.

The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.

The full disclosure: http://seclists.org/bugtraq/2016/Mar/90Reported-by: default avatarRalf Spenneberg <ralf@spenneberg.net>
Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
parent a37a2ffb
...@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d ...@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
ar2->udev = udev; ar2->udev = udev;
/* Sanity check, first interface must have an endpoint */
if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
dev_err(&interface->dev,
"%s(): interface 0 must have an endpoint\n", __func__);
r = -ENODEV;
goto fail1;
}
ar2->intf[0] = interface; ar2->intf[0] = interface;
ar2->ep[0] = &alt->endpoint[0].desc; ar2->ep[0] = &alt->endpoint[0].desc;
/* Sanity check, the device must have two interfaces */
ar2->intf[1] = usb_ifnum_to_if(udev, 1); ar2->intf[1] = usb_ifnum_to_if(udev, 1);
if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
__func__, udev->actconfig->desc.bNumInterfaces);
r = -ENODEV;
goto fail1;
}
r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2); r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
if (r) if (r)
goto fail1; goto fail1;
/* Sanity check, second interface must have an endpoint */
alt = ar2->intf[1]->cur_altsetting; alt = ar2->intf[1]->cur_altsetting;
if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
dev_err(&interface->dev,
"%s(): interface 1 must have an endpoint\n", __func__);
r = -ENODEV;
goto fail2;
}
ar2->ep[1] = &alt->endpoint[0].desc; ar2->ep[1] = &alt->endpoint[0].desc;
r = ati_remote2_urb_init(ar2); r = ati_remote2_urb_init(ar2);
if (r) if (r)
goto fail2; goto fail3;
ar2->channel_mask = channel_mask; ar2->channel_mask = channel_mask;
ar2->mode_mask = mode_mask; ar2->mode_mask = mode_mask;
r = ati_remote2_setup(ar2, ar2->channel_mask); r = ati_remote2_setup(ar2, ar2->channel_mask);
if (r) if (r)
goto fail2; goto fail3;
usb_make_path(udev, ar2->phys, sizeof(ar2->phys)); usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
strlcat(ar2->phys, "/input0", sizeof(ar2->phys)); strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
...@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d ...@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group); r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
if (r) if (r)
goto fail2; goto fail3;
r = ati_remote2_input_init(ar2); r = ati_remote2_input_init(ar2);
if (r) if (r)
goto fail3; goto fail4;
usb_set_intfdata(interface, ar2); usb_set_intfdata(interface, ar2);
...@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d ...@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
return 0; return 0;
fail3: fail4:
sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group); sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
fail2: fail3:
ati_remote2_urb_cleanup(ar2); ati_remote2_urb_cleanup(ar2);
fail2:
usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]); usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
fail1: fail1:
kfree(ar2); kfree(ar2);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment