On Fri, 24 May 2019, Mauro Carvalho Chehab wrote: > Em Tue, 7 May 2019 12:39:47 -0400 (EDT) > Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> escreveu: > > > The syzkaller USB fuzzer found a general-protection-fault bug in the > > smsusb part of the Siano DVB driver. The fault occurs during probe > > because the driver assumes without checking that the device has both > > IN and OUT endpoints and the IN endpoint is ep1. > > > > By slightly rearranging the driver's initialization code, we can make > > the appropriate checks early on and thus avoid the problem. If the > > expected endpoints aren't present, the new code safely returns -ENODEV > > from the probe routine. > > > > Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > > Reported-and-tested-by: syzbot+53f029db71c19a47325a@xxxxxxxxxxxxxxxxxxxxxxxxx > > CC: <stable@xxxxxxxxxxxxxxx> > Patch looks correct, and I'm applying it. It exposes another potential > problem though: what happens if sizeof(desc.wMaxPacketSize) < sizeof(struct sms_msg_hdr)? > > I'm enclosing a followup patch that should solve this situation > (and clean up a sparse warning). > > Thanks, > Mauro Your points are well taken. However, Greg KH has already taken the original patch and a fix for the sparse warning into his tree. I guess the two of you should figure out how best to straighten this out. Alan Stern
