mirror of
https://github.com/torvalds/linux.git
synced 2024-12-22 10:56:40 +00:00
39d170b3cb
The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects
are initialized to point to the containing `ath6kl_usb` object
according to endpoint descriptors read from the device side, as shown
below in `ath6kl_usb_setup_pipe_resources`:
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
endpoint = &iface_desc->endpoint[i].desc;
// get the address from endpoint descriptor
pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb,
endpoint->bEndpointAddress,
&urbcount);
......
// select the pipe object
pipe = &ar_usb->pipes[pipe_num];
// initialize the ar_usb field
pipe->ar_usb = ar_usb;
}
The driver assumes that the addresses reported in endpoint
descriptors from device side to be complete. If a device is
malicious and does not report complete addresses, it may trigger
NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and
`ath6kl_usb_free_urb_to_pipe`.
This patch fixes the bug by preventing potential NULL-ptr-deref
(CVE-2019-15098).
Signed-off-by: Hui Peng <benquike@gmail.com>
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||
|---|---|---|
| .. | ||
| bmi.c | ||
| bmi.h | ||
| cfg80211.c | ||
| cfg80211.h | ||
| common.h | ||
| core.c | ||
| core.h | ||
| debug.c | ||
| debug.h | ||
| hif-ops.h | ||
| hif.c | ||
| hif.h | ||
| htc_mbox.c | ||
| htc_pipe.c | ||
| htc-ops.h | ||
| htc.h | ||
| init.c | ||
| Kconfig | ||
| main.c | ||
| Makefile | ||
| recovery.c | ||
| sdio.c | ||
| target.h | ||
| testmode.c | ||
| testmode.h | ||
| trace.c | ||
| trace.h | ||
| txrx.c | ||
| usb.c | ||
| wmi.c | ||
| wmi.h | ||