On Thu, Oct 03, 2019 at 03:49:58PM +0200, Johan Hovold wrote:
> Fix NULL-pointer dereferences on open() and write() which can be
> triggered by a malicious USB device.
>
> The current URB allocation helper would fail to initialise the newly
> allocated URB if the device has unexpected endpoint descriptors,
> something which could lead NULL-pointer dereferences in a number of
> open() and write() paths when accessing the URB. For example:
>
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> ...
> RIP: 0010:usb_clear_halt+0x11/0xc0
> ...
> Call Trace:
> ? tty_port_open+0x4d/0xd0
> keyspan_open+0x70/0x160 [keyspan]
> serial_port_activate+0x5b/0x80 [usbserial]
> tty_port_open+0x7b/0xd0
> ? check_tty_count+0x43/0xa0
> tty_open+0xf1/0x490
>
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> ...
> RIP: 0010:keyspan_write+0x14e/0x1f3 [keyspan]
> ...
> Call Trace:
> serial_write+0x43/0xa0 [usbserial]
> n_tty_write+0x1af/0x4f0
> ? do_wait_intr_irq+0x80/0x80
> ? process_echoes+0x60/0x60
> tty_write+0x13f/0x2f0
>
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> ...
> RIP: 0010:keyspan_usa26_send_setup+0x298/0x305 [keyspan]
> ...
> Call Trace:
> keyspan_open+0x10f/0x160 [keyspan]
> serial_port_activate+0x5b/0x80 [usbserial]
> tty_port_open+0x7b/0xd0
> ? check_tty_count+0x43/0xa0
> tty_open+0xf1/0x490
>
> Fixes: fdcba53e2d58 ("fix for bugzilla #7544 (keyspan USB-to-serial converter)")
> Cc: stable <stable@xxxxxxxxxxxxxxx> # 2.6.21
> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
