On Thu, Apr 11, 2019 at 10:51:47AM +0800, Yang Xiao wrote:
> Hi,
>
> There are NULL pointer deferences in the function stk_camera_probe in
> drivers/media/usb/stkwebcam/stk-webcam.c and function s2255_probe in
> drivers/media/usb/s2255/s2255drv.c, which allows proximate attackers
> to cause a denial of service via a crafted endpoints value in USB
> device descriptor.
>
> 1286 static int stk_camera_probe(struct usb_interface *interface,
> 1287 const struct usb_device_id *id)
> ...
> 1351 iface_desc = interface->cur_altsetting;
> 1352
> 1353 for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
> 1354 endpoint = &iface_desc->endpoint[i].desc;
> 1355
> 1356 if (!dev->isoc_ep
> 1357 && usb_endpoint_is_isoc_in(endpoint)) {
> 1358 /* we found an isoc in endpoint */
> 1359 dev->isoc_ep = usb_endpoint_num(endpoint);
> 1360 break;
> 1361 }
> 1362 }
>
> The driver expects at least one valid endpoint. If given malicious
> descriptors that specify 0 for the number of endpoints, it will crash
> in the probe function (NULL POINTER DEFERENCE in line 1354).
>
> The same reason to function s2255_probe.
>
> The reason of this vulnerability is the same as CVE-2016-2188, which
> was fixed in commit 4ec0ef3a82125efc36173062a50624550a900ae0.
Can you please resend your patch in a format that I can apply it in?
Actually, it needs to go to the correct maintainer/subsystem, please use
scripts/get_maintainer.pl on your patch to determine that.
thanks,
greg k-h
