On Wed, 16 Mar 2016, Oliver Neukum wrote: > On Wed, 2016-03-16 at 10:08 -0400, Alan Stern wrote: > > On Wed, 16 Mar 2016, Oliver Neukum wrote: > > > > > Attacks that trick drivers into passing a NULL pointer > > > to usb_driver_claim_interface() using forged descriptors are > > > known. This thwarts them by sanity checking. > > > > I'm curious -- how do these attacks carry out their trickery? > > They are using a programmable gadget. > http://seclists.org/bugtraq/2016/Mar/90 I see. The driver uses the output of usb_ifnum_to_if() without checking it for NULL. While adding your check to usb_driver_claim_interface() is a reasonable thing to do, it might not solve all the problems. A driver might still try to use the invalid interface pointer (perhaps when writing out an error message). It would be best to audit all the places that call usb_ifnum_to_if() or usb_altnum_to_altsetting() or usb_find_alt_setting() to be certain they don't try to dereference a NULL pointer. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
