• Hui Peng's avatar
    ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe() · 696da022
    Hui Peng authored
    [ Upstream commit 39d170b3 ]
    
    The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects
    are initialized to point to the containing `ath6kl_usb` object
    according to endpoint descriptors read from the device side, as shown
    below in `ath6kl_usb_setup_pipe_resources`:
    
    for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
    	endpoint = &iface_desc->endpoint[i].desc;
    
    	// get the address from endpoint descriptor
    	pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb,
    						endpoint->bEndpointAddress,
    						&urbcount);
    	......
    	// select the pipe object
    	pipe = &ar_usb->pipes[pipe_num];
    
    	// initialize the ar_usb field
    	pipe->ar_usb = ar_usb;
    }
    
    The driver assumes that the addresses reported in endpoint
    descriptors from device side  to be complete. If a device is
    malicious and does not report complete addresses, it may trigger
    NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and
    `ath6kl_usb_free_urb_to_pipe`.
    
    This patch fixes the bug by preventing potential NULL-ptr-deref
    (CVE-2019-15098).
    Signed-off-by: default avatarHui Peng <benquike@gmail.com>
    Reported-by: default avatarHui Peng <benquike@gmail.com>
    Reported-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
    Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    696da022
usb.c 31 KB