[PATCH] CDC ACM: Fix NULL pointer dereference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

If a device specifies zero endpoints in its interface descriptor,
the kernel oops's with the following output:

Aug 17 19:32:37 deprecated kernel: [  103.785466] cdc_acm 1-5:1.0:usb_probe_interface
Aug 17 19:32:37 deprecated kernel: [  103.785474] cdc_acm 1-5:1.0:usb_probe_interface - got id
Aug 17 19:32:37 deprecated kernel: [  103.785480] cdc_acm 1-5:1.0:This device cannot do calls on its own. It is not a modem.
Aug 17 19:32:37 deprecated kernel: [  103.785491] BUG: unable to handle kernel NULL pointer dereference at 00000004
Aug 17 19:32:37 deprecated kernel: [  103.785609] IP: [<c166b684>] acm_probe+0x234/0xca0
Aug 17 19:32:37 deprecated kernel: [  103.785693] *pde = 00000000
Aug 17 19:32:37 deprecated kernel: [  103.785742] Oops: 0000 [#1] PREEMPT SMP
Aug 17 19:32:37 deprecated kernel: [  103.785813] Modules linked in:
Aug 17 19:32:37 deprecated kernel: [  103.785867] Pid: 561, comm: khubd Not tainted 3.6.0-rc1-smp+ #137 LENOVO 2007YK3/2007YK3
Aug 17 19:32:37 deprecated kernel: [  103.785984] EIP: 0060:[<c166b684>] EFLAGS: 00010293 CPU: 1
Aug 17 19:32:37 deprecated kernel: [  103.786065] EIP is at acm_probe+0x234/0xca0
Aug 17 19:32:37 deprecated kernel: [  103.786126] EAX: 00000000 EBX: f412992c ECX: 00000000 EDX: 00000000
Aug 17 19:32:37 deprecated kernel: [  103.786214] ESI: f4d9d000 EDI: 00000000 EBP: f56abc5c ESP: f56abc00
Aug 17 19:32:37 deprecated kernel: [  103.786303]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Aug 17 19:32:37 deprecated kernel: [  103.786380] CR0: 8005003b CR2: 00000004 CR3: 01dc0000 CR4: 000007d0
Aug 17 19:32:37 deprecated kernel: [  103.786469] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
Aug 17 19:32:37 deprecated kernel: [  103.786558] DR6: ffff0ff0 DR7: 00000400
Aug 17 19:32:37 deprecated kernel: [  103.786614] Process khubd (pid: 561, ti=f56aa000 task=f5642010 task.ti=f56aa000)
Aug 17 19:32:37 deprecated kernel: [  103.786718] Stack:
Aug 17 19:32:37 deprecated kernel: [  103.786750]  f4b07a1c c1c73660 f5642010 00000004 00000000 f4b07a1c 00000008 00000000
Aug 17 19:32:37 deprecated kernel: [  103.786895]  00000000 f4093864 f4129900 f4093800 f4b06e00 00000000 00000010 f4b07a00
Aug 17 19:32:37 deprecated kernel: [  103.787041]  f412901b f4b07a00 f4093800 00000000 f4b07a1c f4093800 c1d1e734 f56abc90
Aug 17 19:32:37 deprecated kernel: [  103.787186] Call Trace:
Aug 17 19:32:37 deprecated kernel: [  103.787230]  [<c1651889>] usb_probe_interface+0x189/0x250
Aug 17 19:32:37 deprecated kernel: [  103.787313]  [<c154ee27>] driver_probe_device+0x57/0x1f0
Aug 17 19:32:37 deprecated kernel: [  103.787393]  [<c165119e>] ?usb_device_match+0x4e/0x90
Aug 17 19:32:37 deprecated kernel: [  103.787470]  [<c154f050>] ?__driver_attach+0x90/0x90
Aug 17 19:32:37 deprecated kernel: [  103.787545]  [<c154f089>] __device_attach+0x39/0x50
Aug 17 19:32:37 deprecated kernel: [  103.787618]  [<c154d644>] bus_for_each_drv+0x34/0x70
Aug 17 19:32:37 deprecated kernel: [  103.787695]  [<c154eda3>] device_attach+0x83/0x90
Aug 17 19:32:37 deprecated kernel: [  103.787765]  [<c154f050>] ?_driver_attach+0x90/0x90
Aug 17 19:32:37 deprecated kernel: [  103.787840]  [<c154e45f>]  bus_probe_device+0x6f/0x90
Aug 17 19:32:37 deprecated kernel: [  103.787914]  [<c154cdce>] device_add+0x56e/0x620
Aug 17 19:32:37 deprecated kernel: [  103.787988]  [<c13a8253>] ?kvasprintf+0x43/0x60
Aug 17 19:32:37 deprecated kernel: [  103.788072]  [<c154c1a6>] ?dev_printk+0x26/0x30
Aug 17 19:32:37 deprecated kernel: [  103.788148]  [<c164fcd1>] usb_set_configuration+0x4a1/0x740
Aug 17 19:32:37 deprecated kernel: [  103.788234]  [<c16587c6>] generic_probe+0x36/0x90
Aug 17 19:32:37 deprecated kernel: [  103.788305]  [<c154c1a6>] ?dev_printk+0x26/0x30
Aug 17 19:32:37 deprecated kernel: [  103.788375]  [<c165198d>] usb_probe_device+0x3d/0x70
Aug 17 19:32:37 deprecated kernel: [  103.788451]  [<c154ee27>] driver_probe_device+0x57/0x1f0
Aug 17 19:32:37 deprecated kernel: [  103.788532]  [<c139e241>] ?kobject_uevent_env+0x101/0x4a0
Aug 17 19:32:37 deprecated kernel: [  103.788615]  [<c154f050>] ?__driver_attach+0x90/0x90
Aug 17 19:32:37 deprecated kernel: [  103.788690]  [<c154f089>] __device_attach+0x39/0x50
Aug 17 19:32:37 deprecated kernel: [  103.788763]  [<c154d644>] bus_for_each_drv+0x34/0x70
Aug 17 19:32:37 deprecated kernel: [  103.788839]  [<c154eda3>] device_attach+0x83/0x90
Aug 17 19:32:37 deprecated kernel: [  103.788909]  [<c154f050>] ?__driver_attach+0x90/0x90
Aug 17 19:32:37 deprecated kernel: [  103.788984]  [<c154e45f>] bus_probe_device+0x6f/0x90
Aug 17 19:32:37 deprecated kernel: [  103.789059]  [<c154cdce>] device_add+0x56e/0x620
Aug 17 19:32:37 deprecated kernel: [  103.789132]  [<c1456b40>] ?add_device_randomness+0x60/0x70
Aug 17 19:32:37 deprecated kernel: [  103.789215]  [<c1647fac>] usb_new_device+0x1fc/0x2c0
Aug 17 19:32:37 deprecated kernel: [  103.789291]  [<c1658923>] ?usb_detect_quirks+0x13/0x60
Aug 17 19:32:37 deprecated kernel: [  103.789368]  [<c1649298>] hub_thread+0x738/0x14b0
Aug 17 19:32:37 deprecated kernel: [  103.789375]  [<c1079b70>] ?abort_exclusive_wait+0x80/0x80
Aug 17 19:32:37 deprecated kernel: [  103.789375]  [<c1648b60>] ?usb_remote_wakeup+0x70/0x70
Aug 17 19:32:37 deprecated kernel: [  103.789375]  [<c107943d>] kthread+0x6d/0x80
Aug 17 19:32:37 deprecated kernel: [  103.789375]  [<c10793d0>] ?kthread_freezable_should_stop+0x50/0x50
Aug 17 19:32:37 deprecated kernel: [  103.789375]  [<c1907536>] kernel_thread_helper+0x6/0xd
Aug 17 19:32:37 deprecated kernel: [  103.789375] Code: 03 00 00 8b 14 85 a0 2f ef c1 85 d2 75 e9 89 45 c0 89 34 85 a0 2f ef c1 b8 74 e7 d1
c1 e8 d5 8d 29 00 8b 45 b4 31 c9 83 7d f0 02 <0f> b7 50 04 0f b7
Aug 17 19:32:37 deprecated kernel: [  103.789375] EIP: [<c166b684>] acm_probe+0x234/0xca0 SS:ESP 0068:f56abc00
Aug 17 19:32:37 deprecated kernel: [  103.789375] CR2: 0000000000000004
Aug 17 19:32:37 deprecated kernel: [  103.844668] ---[ end trace b697e914091a9cd0 ]---

Even though that's clearly an invalid descriptor, we should test
wether we have all endpoints. This is especially bad as this oops
can be triggered by just plugging a USB device in.

Signed-off-by: Sven Schnelle <svens@xxxxxxxxxxxxxx>
---
 drivers/usb/class/cdc-acm.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 56d6bf6..cfffb3d 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1111,6 +1111,8 @@ skip_normal_probe:
 	epread = &data_interface->cur_altsetting->endpoint[0].desc;
 	epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
 
+	if (!epctrl || !epread || !epwrite)
+		return -EINVAL;
 
 	/* workaround for switched endpoints */
 	if (!usb_endpoint_dir_in(epread)) {
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux