On Wed, 16 Mar 2016, Oliver Neukum wrote:
> Attacks that trick drivers into passing a NULL pointer
> to usb_driver_claim_interface() using forged descriptors are
> known. This thwarts them by sanity checking.
I'm curious -- how do these attacks carry out their trickery?
Alan Stern
--
To
On Wed, 16 Mar 2016, Oliver Neukum wrote:
> On Wed, 2016-03-16 at 10:08 -0400, Alan Stern wrote:
> > On Wed, 16 Mar 2016, Oliver Neukum wrote:
> >
> > > Attacks that trick drivers into passing a NULL pointer
> > > to usb_driver_claim_interface() using forged descriptors are
> > > known. This
On Wed, 2016-03-16 at 10:08 -0400, Alan Stern wrote:
> On Wed, 16 Mar 2016, Oliver Neukum wrote:
>
> > Attacks that trick drivers into passing a NULL pointer
> > to usb_driver_claim_interface() using forged descriptors are
> > known. This thwarts them by sanity checking.
>
> I'm curious -- how
On Thu, 2016-03-17 at 12:44 +0100, Oliver Neukum wrote:
> On Wed, 2016-03-16 at 10:41 -0400, Alan Stern wrote:
>
> > While adding your check to usb_driver_claim_interface() is a reasonable
> > thing to do, it might not solve all the problems. A driver might still
> > try to use the invalid
Attacks that trick drivers into passing a NULL pointer
to usb_driver_claim_interface() using forged descriptors are
known. This thwarts them by sanity checking.
Signed-off-by: Oliver Neukum
CC: sta...@vger.kernel.org
---
drivers/usb/core/driver.c | 6 +-
1 file changed, 5
On Wed, 2016-03-16 at 10:41 -0400, Alan Stern wrote:
> While adding your check to usb_driver_claim_interface() is a reasonable
> thing to do, it might not solve all the problems. A driver might still
> try to use the invalid interface pointer (perhaps when writing out an
> error message). It