Greg KH <greg@xxxxxxxxx> writes: > On Fri, Aug 17, 2012 at 09:43:43PM +0200, Sven Schnelle wrote: >> Greg KH <greg@xxxxxxxxx> writes: >> >> > On Fri, Aug 17, 2012 at 08:07:11PM +0200, Sven Schnelle wrote: >> >> If a device specifies zero endpoints in its interface descriptor, >> >> the kernel oops's with the following output: >> >> >> >> Aug 17 19:32:37 deprecated kernel: [ 103.785466] cdc_acm 1-5:1.0:usb_probe_interface >> >> Aug 17 19:32:37 deprecated kernel: [ 103.785474] cdc_acm 1-5:1.0:usb_probe_interface - got id >> >> Aug 17 19:32:37 deprecated kernel: [ 103.785480] cdc_acm 1-5:1.0:This device cannot do calls on its own. It is not a modem. >> >> Aug 17 19:32:37 deprecated kernel: [ 103.785491] BUG: unable to >> >> handle kernel NULL pointer dereference at 00000004 >> >> [..] >> >> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c >> >> index 56d6bf6..cfffb3d 100644 >> >> --- a/drivers/usb/class/cdc-acm.c >> >> +++ b/drivers/usb/class/cdc-acm.c >> >> @@ -1111,6 +1111,8 @@ skip_normal_probe: >> >> epread = &data_interface->cur_altsetting->endpoint[0].desc; >> >> epwrite = &data_interface->cur_altsetting->endpoint[1].desc; >> >> >> >> + if (!epctrl || !epread || !epwrite) >> >> + return -EINVAL; >> > >> > How about we check the number of endpoints _before_ dereferencing them? >> > >> > That would seem to be the correct fix here, instead of relying on the >> > fact that those arrays are NULL at the moment. >> >> Sorry, my fault. Something like this?: >> >> Author: Sven Schnelle <svens@xxxxxxxxxxxxxx> >> Date: Fri Aug 17 19:54:34 2012 +0200 >> >> CDC ACM: Fix NULL pointer dereference >> >> If a device specifies zero endpoints in its interface descriptor, >> the kernel oopses in acm_probe(). Even though that's clearly an >> invalid descriptor, we should test wether we have all endpoints. >> This is especially bad as this oops can be triggered by just >> plugging a USB device in. >> >> Signed-off-by: Sven Schnelle <svens@xxxxxxxxxxxxxx> >> >> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c >> index 56d6bf6..f763ed7 100644 >> --- a/drivers/usb/class/cdc-acm.c >> +++ b/drivers/usb/class/cdc-acm.c >> @@ -1104,7 +1104,8 @@ skip_normal_probe: >> } >> >> >> - if (data_interface->cur_altsetting->desc.bNumEndpoints < 2) >> + if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 || >> + control_interface->cur_altsetting->desc.bNumEndpoints == 0) > > That's better, does this fix the problem in your testing? Yes. The device is rejected, which is correct because the descriptor is messed up. Actually i triggered that bug due to a typo while writing code for a USB device. I was quite surprised seeing an oops triggered by a plugged in USB device ;) Regards Sven -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
