If a device with a malformed USB interface descriptor that indicates
zero enpoints are available is probed by our driver, the system will
crash due to NULL dereferences. This patch implements the fix suggested
in the mentioned Red Hat bugs.

Ref: CVE-2016-3139
Fixes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1556883
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1283375
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1283377

Signed-off-by: Jason Gerecke <jason.gere...@wacom.com>
---
Open question: RHEL has no plans to fix this in their tree -- do we want 
to fix it in input-wacom?

 2.6.30/wacom_sys.c | 6 ++++++
 2.6.36/wacom_sys.c | 6 ++++++
 2.6.38/wacom_sys.c | 6 ++++++
 3.7/wacom_sys.c    | 6 ++++++
 4 files changed, 24 insertions(+)

diff --git a/2.6.30/wacom_sys.c b/2.6.30/wacom_sys.c
index c12cb02..473292c 100644
--- a/2.6.30/wacom_sys.c
+++ b/2.6.30/wacom_sys.c
@@ -798,6 +798,12 @@ static int wacom_probe(struct usb_interface *intf, const 
struct usb_device_id *i
 
        wacom_wac->input = input_dev;
 
+       /* Verify that a device really has an endpoint */
+       if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+               error = -EINVAL;
+               goto fail3;
+       }
+
        endpoint = &intf->cur_altsetting->endpoint[0].desc;
 
        /* Retrieve the physical and logical size for OEM devices */
diff --git a/2.6.36/wacom_sys.c b/2.6.36/wacom_sys.c
index eda6175..1d90a91 100644
--- a/2.6.36/wacom_sys.c
+++ b/2.6.36/wacom_sys.c
@@ -885,6 +885,12 @@ static int wacom_probe(struct usb_interface *intf, const 
struct usb_device_id *i
 
        wacom_wac->input = input_dev;
 
+       /* Verify that a device really has an endpoint */
+       if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+               error = -EINVAL;
+               goto fail3;
+       }
+
        endpoint = &intf->cur_altsetting->endpoint[0].desc;
 
        /* Retrieve the physical and logical size for touch devices */
diff --git a/2.6.38/wacom_sys.c b/2.6.38/wacom_sys.c
index 7902e21..190e5bc 100644
--- a/2.6.38/wacom_sys.c
+++ b/2.6.38/wacom_sys.c
@@ -1664,6 +1664,12 @@ static int wacom_probe(struct usb_interface *intf, const 
struct usb_device_id *i
        usb_make_path(dev, wacom->phys, sizeof(wacom->phys));
        strlcat(wacom->phys, "/input0", sizeof(wacom->phys));
 
+       /* Verify that a device really has an endpoint */
+       if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+               error = -EINVAL;
+               goto fail3;
+       }
+
        endpoint = &intf->cur_altsetting->endpoint[0].desc;
 
        /* set the default size in case we do not get them from hid */
diff --git a/3.7/wacom_sys.c b/3.7/wacom_sys.c
index 3047773..da086ed 100644
--- a/3.7/wacom_sys.c
+++ b/3.7/wacom_sys.c
@@ -1662,6 +1662,12 @@ static int wacom_probe(struct usb_interface *intf, const 
struct usb_device_id *i
        usb_make_path(dev, wacom->phys, sizeof(wacom->phys));
        strlcat(wacom->phys, "/input0", sizeof(wacom->phys));
 
+       /* Verify that a device really has an endpoint */
+       if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+               error = -EINVAL;
+               goto fail3;
+       }
+
        endpoint = &intf->cur_altsetting->endpoint[0].desc;
 
        /* set the default size in case we do not get them from hid */
-- 
2.8.2


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Linuxwacom-devel mailing list
Linuxwacom-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linuxwacom-devel

Reply via email to