Re: [PATCH] CDC ACM: Fix NULL pointer dereference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Aug 17, 2012 at 08:07:11PM +0200, Sven Schnelle wrote:
> If a device specifies zero endpoints in its interface descriptor,
> the kernel oops's with the following output:
> 
> Aug 17 19:32:37 deprecated kernel: [  103.785466] cdc_acm 1-5:1.0:usb_probe_interface
> Aug 17 19:32:37 deprecated kernel: [  103.785474] cdc_acm 1-5:1.0:usb_probe_interface - got id
> Aug 17 19:32:37 deprecated kernel: [  103.785480] cdc_acm 1-5:1.0:This device cannot do calls on its own. It is not a modem.
> Aug 17 19:32:37 deprecated kernel: [  103.785491] BUG: unable to handle kernel NULL pointer dereference at 00000004
> Aug 17 19:32:37 deprecated kernel: [  103.785609] IP: [<c166b684>] acm_probe+0x234/0xca0
> Aug 17 19:32:37 deprecated kernel: [  103.785693] *pde = 00000000
> Aug 17 19:32:37 deprecated kernel: [  103.785742] Oops: 0000 [#1] PREEMPT SMP
> Aug 17 19:32:37 deprecated kernel: [  103.785813] Modules linked in:
> Aug 17 19:32:37 deprecated kernel: [  103.785867] Pid: 561, comm: khubd Not tainted 3.6.0-rc1-smp+ #137 LENOVO 2007YK3/2007YK3
> Aug 17 19:32:37 deprecated kernel: [  103.785984] EIP: 0060:[<c166b684>] EFLAGS: 00010293 CPU: 1
> Aug 17 19:32:37 deprecated kernel: [  103.786065] EIP is at acm_probe+0x234/0xca0
> Aug 17 19:32:37 deprecated kernel: [  103.786126] EAX: 00000000 EBX: f412992c ECX: 00000000 EDX: 00000000
> Aug 17 19:32:37 deprecated kernel: [  103.786214] ESI: f4d9d000 EDI: 00000000 EBP: f56abc5c ESP: f56abc00
> Aug 17 19:32:37 deprecated kernel: [  103.786303]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> Aug 17 19:32:37 deprecated kernel: [  103.786380] CR0: 8005003b CR2: 00000004 CR3: 01dc0000 CR4: 000007d0
> Aug 17 19:32:37 deprecated kernel: [  103.786469] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> Aug 17 19:32:37 deprecated kernel: [  103.786558] DR6: ffff0ff0 DR7: 00000400
> Aug 17 19:32:37 deprecated kernel: [  103.786614] Process khubd (pid: 561, ti=f56aa000 task=f5642010 task.ti=f56aa000)
> Aug 17 19:32:37 deprecated kernel: [  103.786718] Stack:
> Aug 17 19:32:37 deprecated kernel: [  103.786750]  f4b07a1c c1c73660 f5642010 00000004 00000000 f4b07a1c 00000008 00000000
> Aug 17 19:32:37 deprecated kernel: [  103.786895]  00000000 f4093864 f4129900 f4093800 f4b06e00 00000000 00000010 f4b07a00
> Aug 17 19:32:37 deprecated kernel: [  103.787041]  f412901b f4b07a00 f4093800 00000000 f4b07a1c f4093800 c1d1e734 f56abc90
> Aug 17 19:32:37 deprecated kernel: [  103.787186] Call Trace:
> Aug 17 19:32:37 deprecated kernel: [  103.787230]  [<c1651889>] usb_probe_interface+0x189/0x250
> Aug 17 19:32:37 deprecated kernel: [  103.787313]  [<c154ee27>] driver_probe_device+0x57/0x1f0
> Aug 17 19:32:37 deprecated kernel: [  103.787393]  [<c165119e>] ?usb_device_match+0x4e/0x90
> Aug 17 19:32:37 deprecated kernel: [  103.787470]  [<c154f050>] ?__driver_attach+0x90/0x90
> Aug 17 19:32:37 deprecated kernel: [  103.787545]  [<c154f089>] __device_attach+0x39/0x50
> Aug 17 19:32:37 deprecated kernel: [  103.787618]  [<c154d644>] bus_for_each_drv+0x34/0x70
> Aug 17 19:32:37 deprecated kernel: [  103.787695]  [<c154eda3>] device_attach+0x83/0x90
> Aug 17 19:32:37 deprecated kernel: [  103.787765]  [<c154f050>] ?_driver_attach+0x90/0x90
> Aug 17 19:32:37 deprecated kernel: [  103.787840]  [<c154e45f>]  bus_probe_device+0x6f/0x90
> Aug 17 19:32:37 deprecated kernel: [  103.787914]  [<c154cdce>] device_add+0x56e/0x620
> Aug 17 19:32:37 deprecated kernel: [  103.787988]  [<c13a8253>] ?kvasprintf+0x43/0x60
> Aug 17 19:32:37 deprecated kernel: [  103.788072]  [<c154c1a6>] ?dev_printk+0x26/0x30
> Aug 17 19:32:37 deprecated kernel: [  103.788148]  [<c164fcd1>] usb_set_configuration+0x4a1/0x740
> Aug 17 19:32:37 deprecated kernel: [  103.788234]  [<c16587c6>] generic_probe+0x36/0x90
> Aug 17 19:32:37 deprecated kernel: [  103.788305]  [<c154c1a6>] ?dev_printk+0x26/0x30
> Aug 17 19:32:37 deprecated kernel: [  103.788375]  [<c165198d>] usb_probe_device+0x3d/0x70
> Aug 17 19:32:37 deprecated kernel: [  103.788451]  [<c154ee27>] driver_probe_device+0x57/0x1f0
> Aug 17 19:32:37 deprecated kernel: [  103.788532]  [<c139e241>] ?kobject_uevent_env+0x101/0x4a0
> Aug 17 19:32:37 deprecated kernel: [  103.788615]  [<c154f050>] ?__driver_attach+0x90/0x90
> Aug 17 19:32:37 deprecated kernel: [  103.788690]  [<c154f089>] __device_attach+0x39/0x50
> Aug 17 19:32:37 deprecated kernel: [  103.788763]  [<c154d644>] bus_for_each_drv+0x34/0x70
> Aug 17 19:32:37 deprecated kernel: [  103.788839]  [<c154eda3>] device_attach+0x83/0x90
> Aug 17 19:32:37 deprecated kernel: [  103.788909]  [<c154f050>] ?__driver_attach+0x90/0x90
> Aug 17 19:32:37 deprecated kernel: [  103.788984]  [<c154e45f>] bus_probe_device+0x6f/0x90
> Aug 17 19:32:37 deprecated kernel: [  103.789059]  [<c154cdce>] device_add+0x56e/0x620
> Aug 17 19:32:37 deprecated kernel: [  103.789132]  [<c1456b40>] ?add_device_randomness+0x60/0x70
> Aug 17 19:32:37 deprecated kernel: [  103.789215]  [<c1647fac>] usb_new_device+0x1fc/0x2c0
> Aug 17 19:32:37 deprecated kernel: [  103.789291]  [<c1658923>] ?usb_detect_quirks+0x13/0x60
> Aug 17 19:32:37 deprecated kernel: [  103.789368]  [<c1649298>] hub_thread+0x738/0x14b0
> Aug 17 19:32:37 deprecated kernel: [  103.789375]  [<c1079b70>] ?abort_exclusive_wait+0x80/0x80
> Aug 17 19:32:37 deprecated kernel: [  103.789375]  [<c1648b60>] ?usb_remote_wakeup+0x70/0x70
> Aug 17 19:32:37 deprecated kernel: [  103.789375]  [<c107943d>] kthread+0x6d/0x80
> Aug 17 19:32:37 deprecated kernel: [  103.789375]  [<c10793d0>] ?kthread_freezable_should_stop+0x50/0x50
> Aug 17 19:32:37 deprecated kernel: [  103.789375]  [<c1907536>] kernel_thread_helper+0x6/0xd
> Aug 17 19:32:37 deprecated kernel: [  103.789375] Code: 03 00 00 8b 14 85 a0 2f ef c1 85 d2 75 e9 89 45 c0 89 34 85 a0 2f ef c1 b8 74 e7 d1
> c1 e8 d5 8d 29 00 8b 45 b4 31 c9 83 7d f0 02 <0f> b7 50 04 0f b7
> Aug 17 19:32:37 deprecated kernel: [  103.789375] EIP: [<c166b684>] acm_probe+0x234/0xca0 SS:ESP 0068:f56abc00
> Aug 17 19:32:37 deprecated kernel: [  103.789375] CR2: 0000000000000004
> Aug 17 19:32:37 deprecated kernel: [  103.844668] ---[ end trace b697e914091a9cd0 ]---
> 
> Even though that's clearly an invalid descriptor, we should test
> wether we have all endpoints. This is especially bad as this oops
> can be triggered by just plugging a USB device in.
> 
> Signed-off-by: Sven Schnelle <svens@xxxxxxxxxxxxxx>
> ---
>  drivers/usb/class/cdc-acm.c |    2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> index 56d6bf6..cfffb3d 100644
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -1111,6 +1111,8 @@ skip_normal_probe:
>  	epread = &data_interface->cur_altsetting->endpoint[0].desc;
>  	epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
>  
> +	if (!epctrl || !epread || !epwrite)
> +		return -EINVAL;

How about we check the number of endpoints _before_ dereferencing them?

That would seem to be the correct fix here, instead of relying on the
fact that those arrays are NULL at the moment.

Care to redo this?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux