Re: [Umap2][5/11][22b8:2d93] NULL pointer dereference

Wed, 17 Aug 2016 06:27:09 -0700 

On Tue, 2016-08-16 at 16:46 +0300, Binyamin Sharet wrote:
> Kernel version: raspberrypi 4.4.6-v7+ #871
> Driver source file: drivers/usb/class/cdc-acm.c
> Umap2 command line: umap2vsscan -P <PHY> -s 22b8:2d93

Hi,

could you retest this kernel with the attached fix,
so I know whether it can go into stable?

        Regards
                Oliver


From d741851d2b51a4693368487bc0046836b8458d98 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <[email protected]>
Date: Wed, 17 Aug 2016 15:19:28 +0200
Subject: [PATCH] cdc-acm: added sanity checking for probe()

This is analternative to eccf2a4e6b64d249929acc1f7aaa2ab0fb199d3d
which inadvertedly fixes an oops in probe by malformed descriptors.
The patch is too extensive to backport to stable.

Signed-off-by: Oliver Neukum <[email protected]>
---
 drivers/usb/class/cdc-acm.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index ba6b978..2bf5cfa 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1002,6 +1002,8 @@ static int acm_probe(struct usb_interface *intf,
 	}
 
 	if (!buflen) {
+		if (!intf->cur_altsetting || !intf->cur_altsetting->endpoint)
+			return -EINVAL;
 		if (intf->cur_altsetting->endpoint &&
 				intf->cur_altsetting->endpoint->extralen &&
 				intf->cur_altsetting->endpoint->extra) {
@@ -1098,6 +1100,8 @@ next_desc:
 		combined_interfaces = 1;
 		/* a popular other OS doesn't use it */
 		quirks |= NO_CAP_LINE;
+		if (!data_interface->cur_altsetting)
+			return -EINVAL;
 		if (data_interface->cur_altsetting->desc.bNumEndpoints != 3) {
 			dev_err(&intf->dev, "This needs exactly 3 endpoints\n");
 			return -EINVAL;
@@ -1107,6 +1111,9 @@ look_for_collapsed_interface:
 			struct usb_endpoint_descriptor *ep;
 			ep = &data_interface->cur_altsetting->endpoint[i].desc;
 
+			if (!ep)
+				return -ENODEV;
+
 			if (usb_endpoint_is_int_in(ep))
 				epctrl = ep;
 			else if (usb_endpoint_is_bulk_out(ep))
@@ -1127,6 +1134,8 @@ skip_normal_probe:
 	/*workaround for switched interfaces */
 	if (data_interface->cur_altsetting->desc.bInterfaceClass
 						!= CDC_DATA_INTERFACE_TYPE) {
+		if (!control_interface->cur_altsetting)
+			return -EINVAL;
 		if (control_interface->cur_altsetting->desc.bInterfaceClass
 						== CDC_DATA_INTERFACE_TYPE) {
 			struct usb_interface *t;
@@ -1152,6 +1161,7 @@ skip_normal_probe:
 
 
 	if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 ||
+	    !control_interface->cur_altsetting ||
 	    control_interface->cur_altsetting->desc.bNumEndpoints == 0)
 		return -EINVAL;
 
@@ -1159,6 +1169,8 @@ skip_normal_probe:
 	epread = &data_interface->cur_altsetting->endpoint[0].desc;
 	epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
 
+	if (!epctrl || !epread || !epwrite)
+		return -ENODEV; 
 
 	/* workaround for switched endpoints */
 	if (!usb_endpoint_dir_in(epread)) {
-- 
2.1.4

Reply via email to