leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2fae9e5a7b
linux/drivers/usb
History
Greg Kroah-Hartman 2fae9e5a7b usb: misc: legousbtower: Fix NULL pointer deference 
This patch fixes a NULL pointer dereference caused by a race codition in
the probe function of the legousbtower driver. It re-structures the
probe function to only register the interface after successfully reading
the board's firmware ID.

The probe function does not deregister the usb interface after an error
receiving the devices firmware ID. The device file registered
(/dev/usb/legousbtower%d) may be read/written globally before the probe
function returns. When tower_delete is called in the probe function
(after an r/w has been initiated), core dev structures are deleted while
the file operation functions are still running. If the 0 address is
mappable on the machine, this vulnerability can be used to create a
Local Priviege Escalation exploit via a write-what-where condition by
remapping dev->interrupt_out_buffer in tower_write. A forged USB device
and local program execution would be required for LPE. The USB device
would have to delay the control message in tower_probe and accept
the control urb in tower_open whilst guest code initiated a write to the
device file as tower_delete is called from the error in tower_probe.

This bug has existed since 2003. Patch tested by emulated device.

Reported-by: James Patrick-Evans <james@jmp-e.com>
Tested-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-09-21 18:31:18 +02:00
..
atm usb: atm: usbatm: don't print on ENOMEM 2016-08-30 19:17:36 +02:00
c67x00
chipidea usb: chipidea: udc: Use the preferred form for passing a size of a struct 2016-09-14 10:58:13 +08:00
class cdc-acm: hardening against malicious devices 2016-09-21 09:48:27 +02:00
common usb: patches for v4.9 merge window 2016-09-14 20:37:50 +02:00
core Merge 4.8-rc7 into usb-next 2016-09-19 09:12:41 +02:00
dwc2 usb: patches for v4.9 merge window 2016-09-14 20:37:50 +02:00
dwc3 usb: patches for v4.9 merge window 2016-09-14 20:37:50 +02:00
early usb: early/ehci-dbgp: make it explicitly non-modular 2016-06-26 11:48:18 -07:00
gadget Revert "usb: gadget: NCM: Protect dev->port_usb using dev->lock" 2016-09-19 11:05:43 +02:00
host usb: ohci: Allow ohci on omap5 also 2016-09-13 17:26:32 +02:00
image usb: microtek: Use "foo *bar" instead of "foo * bar". 2016-06-07 22:18:39 -07:00
isp1760 usb: Remove unnecessary space before open square bracket. 2016-05-09 13:08:46 +02:00
misc usb: misc: legousbtower: Fix NULL pointer deference 2016-09-21 18:31:18 +02:00
mon usb: core: rename mutex usb_bus_list_lock to usb_bus_idr_lock 2016-02-06 21:55:57 -08:00
musb Merge 4.8-rc7 into usb-next 2016-09-19 09:12:41 +02:00
phy usb: patches for v4.9 merge window 2016-09-14 20:37:50 +02:00
renesas_usbhs usb: patches for v4.9 merge window 2016-09-14 20:37:50 +02:00
serial Merge 4.8-rc7 into usb-next 2016-09-19 09:12:41 +02:00
storage scsi: introduce a quirk for false cache reporting 2016-09-13 08:08:24 +02:00
usbip usb: usbip: vudc: fix left shift overflow 2016-08-30 22:28:52 +02:00
wusbcore USB: wusbcore: add in missing white space in error message text 2016-09-13 17:24:24 +02:00
Kconfig usb: Kconfig: let USB_ULPI_BUS depends on USB_COMMON 2016-09-12 10:43:38 +02:00
Makefile usb: fsl: drop USB_FSL_MPH_DR_OF Kconfig symbol 2016-03-04 15:14:29 +02:00
README
usb-skeleton.c usb: usb-skeleton: don't print on ENOMEM 2016-08-30 19:17:39 +02:00

README 

To understand all the Linux-USB framework, you'll use these resources:

    * This source code.  This is necessarily an evolving work, and
      includes kerneldoc that should help you get a current overview.
      ("make pdfdocs", and then look at "usb.pdf" for host side and
      "gadget.pdf" for peripheral side.)  Also, Documentation/usb has
      more information.

    * The USB 2.0 specification (from www.usb.org), with supplements
      such as those for USB OTG and the various device classes.
      The USB specification has a good overview chapter, and USB
      peripherals conform to the widely known "Chapter 9".

    * Chip specifications for USB controllers.  Examples include
      host controllers (on PCs, servers, and more); peripheral
      controllers (in devices with Linux firmware, like printers or
      cell phones); and hard-wired peripherals like Ethernet adapters.

    * Specifications for other protocols implemented by USB peripheral
      functions.  Some are vendor-specific; others are vendor-neutral
      but just standardized outside of the www.usb.org team.

Here is a list of what each subdirectory here is, and what is contained in
them.

core/		- This is for the core USB host code, including the
		  usbfs files and the hub class driver ("hub_wq").

host/		- This is for USB host controller drivers.  This
		  includes UHCI, OHCI, EHCI, and others that might
		  be used with more specialized "embedded" systems.

gadget/		- This is for USB peripheral controller drivers and
		  the various gadget drivers which talk to them.


Individual USB driver directories.  A new driver should be added to the
first subdirectory in the list below that it fits into.

image/		- This is for still image drivers, like scanners or
		  digital cameras.
../input/	- This is for any driver that uses the input subsystem,
		  like keyboard, mice, touchscreens, tablets, etc.
../media/	- This is for multimedia drivers, like video cameras,
		  radios, and any other drivers that talk to the v4l
		  subsystem.
../net/		- This is for network drivers.
serial/		- This is for USB to serial drivers.
storage/	- This is for USB mass-storage drivers.
class/		- This is for all USB device drivers that do not fit
		  into any of the above categories, and work for a range
		  of USB Class specified devices. 
misc/		- This is for all USB device drivers that do not fit
		  into any of the above categories.