Re: [PATCH] CDC ACM: Fix NULL pointer dereference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greg KH <greg@xxxxxxxxx> writes:

> On Fri, Aug 17, 2012 at 09:43:43PM +0200, Sven Schnelle wrote:
>> Greg KH <greg@xxxxxxxxx> writes:
>> 
>> > On Fri, Aug 17, 2012 at 08:07:11PM +0200, Sven Schnelle wrote:
>> >> If a device specifies zero endpoints in its interface descriptor,
>> >> the kernel oops's with the following output:
>> >> 
>> >> Aug 17 19:32:37 deprecated kernel: [  103.785466] cdc_acm 1-5:1.0:usb_probe_interface
>> >> Aug 17 19:32:37 deprecated kernel: [  103.785474] cdc_acm 1-5:1.0:usb_probe_interface - got id
>> >> Aug 17 19:32:37 deprecated kernel: [  103.785480] cdc_acm 1-5:1.0:This device cannot do calls on its own. It is not a modem.
>> >> Aug 17 19:32:37 deprecated kernel: [  103.785491] BUG: unable to
>> >> handle kernel NULL pointer dereference at 00000004
>> >> [..]
>> >> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
>> >> index 56d6bf6..cfffb3d 100644
>> >> --- a/drivers/usb/class/cdc-acm.c
>> >> +++ b/drivers/usb/class/cdc-acm.c
>> >> @@ -1111,6 +1111,8 @@ skip_normal_probe:
>> >>  	epread = &data_interface->cur_altsetting->endpoint[0].desc;
>> >>  	epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
>> >>  
>> >> +	if (!epctrl || !epread || !epwrite)
>> >> +		return -EINVAL;
>> >
>> > How about we check the number of endpoints _before_ dereferencing them?
>> >
>> > That would seem to be the correct fix here, instead of relying on the
>> > fact that those arrays are NULL at the moment.
>> 
>> Sorry, my fault. Something like this?:
>> 
>> Author: Sven Schnelle <svens@xxxxxxxxxxxxxx>
>> Date:   Fri Aug 17 19:54:34 2012 +0200
>> 
>>     CDC ACM: Fix NULL pointer dereference
>>     
>>     If a device specifies zero endpoints in its interface descriptor,
>>     the kernel oopses in acm_probe(). Even though that's clearly an
>>     invalid descriptor, we should test wether we have all endpoints.
>>     This is especially bad as this oops can be triggered by just
>>     plugging a USB device in.
>>     
>>     Signed-off-by: Sven Schnelle <svens@xxxxxxxxxxxxxx>
>> 
>> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
>> index 56d6bf6..f763ed7 100644
>> --- a/drivers/usb/class/cdc-acm.c
>> +++ b/drivers/usb/class/cdc-acm.c
>> @@ -1104,7 +1104,8 @@ skip_normal_probe:
>>         }
>>  
>>  
>> -       if (data_interface->cur_altsetting->desc.bNumEndpoints < 2)
>> +       if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 ||
>> +           control_interface->cur_altsetting->desc.bNumEndpoints == 0)
>
> That's better, does this fix the problem in your testing?

Yes. The device is rejected, which is correct because the descriptor is
messed up. Actually i triggered that bug due to a typo while writing
code for a USB device. I was quite surprised seeing an oops triggered
by a plugged in USB device ;)

Regards
Sven
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux