On Thu, Feb 04, 2010 at 03:51:32PM +0100, Simon Richter wrote: > Package: linux-2.6 > Version: 2.6.32-5 > Severity: normal > > Hi, > > while playing with an USB device, I found that the kernel dereferences a > NULL pointer if a CDC ACM device declares to have no endpoints > associated with the CDC control interface. I believe the validity check > should be more stringent here. I agree. Let's see what upstream has to say. Ben. > The relevant bits of code look like this: > > epctrl = &control_interface->cur_altsetting->endpoint[0].desc; > epread = &data_interface->cur_altsetting->endpoint[0].desc; > epwrite = &data_interface->cur_altsetting->endpoint[1].desc; > > No further verification except for swapped data endpoints is performed > afterwards. > > Simon > > -- Package-specific info: > ** Version: > Linux version 2.6.32-trunk-amd64 (Debian 2.6.32-5) (ben@xxxxxxxxxxxxxxx) (gcc version 4.3.4 (Debian 4.3.4-6) ) #1 SMP Sun Jan 10 22:40:40 UTC 2010 > > ** Command line: > BOOT_IMAGE=/vmlinuz-2.6.32-trunk-amd64 root=/dev/mapper/richter-root ro quiet > > ** Not tainted > > ** Kernel log: > [11278.817700] cdc_acm 2-3:1.0: This device cannot do calls on its own. It is not a modem. > [11278.817743] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 > [11278.817746] IP: [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm] > [11278.817756] PGD 600d1067 PUD 60086067 PMD 0 > [11278.817760] Oops: 0000 [#1] SMP > [11278.817762] last sysfs file: /sys/devices/pci0000:00/0000:00:12.0/usb2/2-3/manufacturer > [11278.817765] CPU 0 > [11278.817767] Modules linked in: radeon ttm drm_kms_helper drm agpgart i2c_algo_bit ppdev lp sco bridge stp rfcomm bnep l2cap crc16 powernow_k8 cpufreq_powersave cpufreq_userspace cpufreq_conservative cpufreq_stats binfmt_misc deflate zlib_deflat > ellia serpent blowfish cast5 des_generic cbc cryptd aes_x86_64 aes_generic xcbc rmd160 sha256_generic sha1_generic hmac crypto_null af_key fuse nfsd exportfs nfs lockd fscache nfs_acl auth_rpcgss sunrpc nls_utf8 cifs hwmon_vid loop dm_crypt snd_hd > altek snd_hda_intel snd_seq_midi snd_hda_codec snd_rawmidi snd_seq_midi_event snd_hwdep snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer usbhid pl2303 snd btusb shpchp cdc_acm i2c_piix4 hid usbserial parport_pc edac_core k8temp e > h soundcore parport i2c_core processor rfkill snd_page_alloc pcspkr evdev ext3 jbd mbcache dm_mod ide_cd_mod cdrom sd_mod crc_t10dif ata_generic ide_pci_gener > c ahci ohci_hcd ehci_hcd atiixp r8169 libata 8139too 8139cp mii floppy button ide_core usbcore nls_base scsi_mod thermal fan thermal_sys [last unloaded: scsi_wait_scan] > [11278.817841] Pid: 309, comm: khubd Not tainted 2.6.32-trunk-amd64 #1 GA-MA74GM-S2H > [11278.817843] RIP: 0010:[<ffffffffa02b9ca9>] [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm] > [11278.817849] RSP: 0018:ffff88006cea1930 EFLAGS: 00010293 > [11278.817851] RAX: 0000000000000000 RBX: ffff880052c08800 RCX: 0000000000000000 > [11278.817853] RDX: 0000000000000000 RSI: 00000000000080d0 RDI: ffff8800376ea000 > [11278.817856] RBP: ffff8800376e9000 R08: 000000000000000c R09: ffff880062ae9888 > [11278.817858] R10: 000080d0000000d0 R11: 00000000000186a0 R12: ffff880062ae9888 > [11278.817860] R13: ffff880052c08000 R14: 0000000000000000 R15: ffff880052c08000 > [11278.817863] FS: 00007f4dc9bf5910(0000) GS:ffff880001800000(0000) knlGS:0000000000000000 > [11278.817866] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b > [11278.817868] CR2: 0000000000000004 CR3: 0000000060157000 CR4: 00000000000006f0 > [11278.817870] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [11278.817873] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > [11278.817875] Process khubd (pid: 309, threadinfo ffff88006cea0000, task ffff88006cdff810) > [11278.817877] Stack: > [11278.817879] ffffffff813c7d84 ffff88006f5329a0 0000000000000000 ffffffff810fcb34 > [11278.817882] <0> ffff880060130090 ffffffff8113cebf 0000000000000000 ffff880052c08800 > [11278.817886] <0> 0000000000000000 ffff880062ae9840 ffff880060130000 ffffffff00000000 > [11278.817890] Call Trace: > [11278.817897] [<ffffffff810fcb34>] ? iput+0x27/0x60 > [11278.817902] [<ffffffff8113cebf>] ? sysfs_addrm_finish+0x66/0x204 > [11278.817914] [<ffffffffa005975a>] ? usb_match_one_id+0x23/0x7f [usbcore] > [11278.817924] [<ffffffffa005a6dd>] ? usb_probe_interface+0x107/0x157 [usbcore] > [11278.817930] [<ffffffff8120e0e8>] ? driver_probe_device+0xa3/0x14b > [11278.817934] [<ffffffff8120e1ff>] ? __device_attach+0x0/0x39 > [11278.817937] [<ffffffff8120d713>] ? bus_for_each_drv+0x46/0x77 > [11278.817940] [<ffffffff8120e2bb>] ? device_attach+0x60/0x7e > [11278.817942] [<ffffffff8120d58b>] ? bus_probe_device+0x1f/0x38 > [11278.817948] [<ffffffff8120c258>] ? device_add+0x3a2/0x537 > [11278.817956] [<ffffffffa005942a>] ? usb_set_configuration+0x589/0x5f2 [usbcore] > [11278.817965] [<ffffffffa0060dac>] ? generic_probe+0x61/0xa9 [usbcore] > [11278.817969] [<ffffffff8120e0e8>] ? driver_probe_device+0xa3/0x14b > [11278.817972] [<ffffffff8120e1ff>] ? __device_attach+0x0/0x39 > [11278.817975] [<ffffffff8120d713>] ? bus_for_each_drv+0x46/0x77 > [11278.817978] [<ffffffff8120e2bb>] ? device_attach+0x60/0x7e > [11278.817981] [<ffffffff8120d58b>] ? bus_probe_device+0x1f/0x38 > [11278.817986] [<ffffffff8120c258>] ? device_add+0x3a2/0x537 > [11278.817993] [<ffffffffa00531ec>] ? usb_new_device+0x125/0x186 [usbcore] > [11278.818001] [<ffffffffa00548ec>] ? hub_thread+0xc19/0x1175 [usbcore] > [11278.818006] [<ffffffff81064aae>] ? autoremove_wake_function+0x0/0x2e > [11278.818014] [<ffffffffa0053cd3>] ? hub_thread+0x0/0x1175 [usbcore] > [11278.818017] [<ffffffff810647e1>] ? kthread+0x79/0x81 > [11278.818021] [<ffffffff81011b6a>] ? child_rip+0xa/0x20 > [11278.818024] [<ffffffff81064768>] ? kthread+0x0/0x81 > [11278.818026] [<ffffffff81011b60>] ? child_rip+0x0/0x20 > [11278.818028] Code: 33 9c 2b a0 ff 13 48 83 c3 08 48 83 3b 00 eb d8 48 85 ed b8 f4 ff ff ff 0f 84 ab 07 00 00 48 8b 54 24 40 31 c0 48 83 7c 24 68 02 <0f> b7 52 04 0f 95 c0 ff c0 89 44 24 60 89 54 24 5c 41 0f b7 44 > [11278.818054] RIP [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm] > [11278.818058] RSP <ffff88006cea1930> > [11278.818060] CR2: 0000000000000004 > [11278.818062] ---[ end trace ba11069b8b4d1dae ]--- [...] -- Ben Hutchings In a hierarchy, every employee tends to rise to his level of incompetence.
Attachment:
signature.asc
Description: Digital signature
