On Wed, Mar 16, 2016 at 02:23:33PM +0100, Oliver Neukum wrote: > An attack using the lack of sanity checking in probe > is known. This patch checks for the existance of a > second port. > CVE-2016-3136 > > Signed-off-by: Oliver Neukum <ONeukum@xxxxxxxx> > CC: stable@xxxxxxxxxxxxxxx > --- > drivers/usb/serial/mct_u232.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c > index fd707d6..d6a36b1 100644 > --- a/drivers/usb/serial/mct_u232.c > +++ b/drivers/usb/serial/mct_u232.c > @@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port) > { > struct mct_u232_private *priv; > > + /* check first to simplify error handling */ > + if (!port->serial->port[1]) > + return -ENODEV; > + This check is not sufficient as the second port's interrupt-in urb is also unconditionally dereferenced below. Care to fix that up? Ideally the existence of a second interrupt-in urb should have been verified already at interface probe. But we can clean that up later. > priv = kzalloc(sizeof(*priv), GFP_KERNEL); > if (!priv) > return -ENOMEM; Thanks, Johan -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html