leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7d7e21fafd
linux/drivers/usb
History
Johan Hovold 7d7e21fafd USB: serial: keyspan: fix NULL-derefs on open() and write() 
Fix NULL-pointer dereferences on open() and write() which can be
triggered by a malicious USB device.

The current URB allocation helper would fail to initialise the newly
allocated URB if the device has unexpected endpoint descriptors,
something which could lead NULL-pointer dereferences in a number of
open() and write() paths when accessing the URB. For example:

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	...
	RIP: 0010:usb_clear_halt+0x11/0xc0
	...
	Call Trace:
	 ? tty_port_open+0x4d/0xd0
	 keyspan_open+0x70/0x160 [keyspan]
	 serial_port_activate+0x5b/0x80 [usbserial]
	 tty_port_open+0x7b/0xd0
	 ? check_tty_count+0x43/0xa0
	 tty_open+0xf1/0x490

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	...
	RIP: 0010:keyspan_write+0x14e/0x1f3 [keyspan]
	...
	Call Trace:
	 serial_write+0x43/0xa0 [usbserial]
	 n_tty_write+0x1af/0x4f0
	 ? do_wait_intr_irq+0x80/0x80
	 ? process_echoes+0x60/0x60
	 tty_write+0x13f/0x2f0

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	...
	RIP: 0010:keyspan_usa26_send_setup+0x298/0x305 [keyspan]
	...
	Call Trace:
	 keyspan_open+0x10f/0x160 [keyspan]
	 serial_port_activate+0x5b/0x80 [usbserial]
	 tty_port_open+0x7b/0xd0
	 ? check_tty_count+0x43/0xa0
	 tty_open+0xf1/0x490

Fixes: fdcba53e2d ("fix for bugzilla #7544 (keyspan USB-to-serial converter)")
Cc: stable <stable@vger.kernel.org>	# 2.6.21
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2019-10-04 10:57:19 +02:00
..
atm USB: atm: cxacru: convert to use dev_groups 2019-08-09 07:55:45 +02:00
c67x00
cdns3 usb: cdns3: Remove redundant dev_err call in cdns3_probe() 2019-09-03 20:31:34 +02:00
chipidea Add role switch class support for chipidea 2019-09-05 10:02:07 +02:00
class Merge 5.3-rc7 into usb-next 2019-09-02 19:31:18 +02:00
common usb: common: add USB GPIO based connection detection driver 2019-09-03 19:01:04 +02:00
core LED updates for 5.4-rc1 2019-09-17 18:40:42 -07:00
dwc2 USB: Changes for v5.4 merge window 2019-09-02 19:20:57 +02:00
dwc3 usb: dwc3: remove generic PHY calibrate() calls 2019-09-03 15:54:56 +02:00
early
gadget Merge branch 'work.mount3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-09-24 12:33:34 -07:00
host USB changes for 5.4-rc1 2019-09-18 10:33:46 -07:00
image scsi: usb: image: microtek: use sg helper to iterate over scatterlist 2019-06-20 15:21:32 -04:00
isp1760 usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
misc USB: rio500: Fix lockdep violation 2019-09-03 20:18:18 +02:00
mon
mtu3 usb: mtu3: register a USB Role Switch for dual role mode 2019-09-03 20:02:15 +02:00
musb usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
phy USB: Changes for v5.4 merge window 2019-09-02 19:20:57 +02:00
renesas_usbhs usb: add a HCD_DMA flag instead of guestimating DMA capabilities 2019-08-21 10:03:35 -07:00
roles USB changes for 5.4-rc1 2019-09-18 10:33:46 -07:00
serial USB: serial: keyspan: fix NULL-derefs on open() and write() 2019-10-04 10:57:19 +02:00
storage Modules updates for v5.4 2019-09-22 10:34:46 -07:00
typec LED updates for 5.4-rc1 2019-09-17 18:40:42 -07:00
usbip usbip: Implement SG support to vhci-hcd and stub driver 2019-09-03 16:00:38 +02:00
Kconfig usb: common: create Kconfig file 2019-09-03 19:00:39 +02:00
Makefile USB: Changes for v5.4 merge window 2019-09-02 19:20:57 +02:00
usb-skeleton.c usb: usb-skeleton: make comment block in line with coding style 2019-08-21 09:57:36 -07:00