Re: [PATCH] CDC ACM: Fix NULL pointer dereference

Sven Schnelle <svens@xxxxxxxxxxxxxx> · Fri, 17 Aug 2012 21:43:43 +0200

Greg KH <greg@xxxxxxxxx> writes:

> On Fri, Aug 17, 2012 at 08:07:11PM +0200, Sven Schnelle wrote:
>> If a device specifies zero endpoints in its interface descriptor,
>> the kernel oops's with the following output:
>> 
>> Aug 17 19:32:37 deprecated kernel: [  103.785466] cdc_acm 1-5:1.0:usb_probe_interface
>> Aug 17 19:32:37 deprecated kernel: [  103.785474] cdc_acm 1-5:1.0:usb_probe_interface - got id
>> Aug 17 19:32:37 deprecated kernel: [  103.785480] cdc_acm 1-5:1.0:This device cannot do calls on its own. It is not a modem.
>> Aug 17 19:32:37 deprecated kernel: [  103.785491] BUG: unable to
>> handle kernel NULL pointer dereference at 00000004
>> [..]
>> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
>> index 56d6bf6..cfffb3d 100644
>> --- a/drivers/usb/class/cdc-acm.c
>> +++ b/drivers/usb/class/cdc-acm.c
>> @@ -1111,6 +1111,8 @@ skip_normal_probe:
>>  	epread = &data_interface->cur_altsetting->endpoint[0].desc;
>>  	epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
>>  
>> +	if (!epctrl || !epread || !epwrite)
>> +		return -EINVAL;
>
> How about we check the number of endpoints _before_ dereferencing them?
>
> That would seem to be the correct fix here, instead of relying on the
> fact that those arrays are NULL at the moment.

Sorry, my fault. Something like this?:

Author: Sven Schnelle <svens@xxxxxxxxxxxxxx>
Date:   Fri Aug 17 19:54:34 2012 +0200

    CDC ACM: Fix NULL pointer dereference
    
    If a device specifies zero endpoints in its interface descriptor,
    the kernel oopses in acm_probe(). Even though that's clearly an
    invalid descriptor, we should test wether we have all endpoints.
    This is especially bad as this oops can be triggered by just
    plugging a USB device in.
    
    Signed-off-by: Sven Schnelle <svens@xxxxxxxxxxxxxx>

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 56d6bf6..f763ed7 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1104,7 +1104,8 @@ skip_normal_probe:
        }
 
 
-       if (data_interface->cur_altsetting->desc.bNumEndpoints < 2)
+       if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 ||
+           control_interface->cur_altsetting->desc.bNumEndpoints == 0)
                return -EINVAL;
 
        epctrl = &control_interface->cur_altsetting->endpoint[0].desc;

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





