This is a note to let you know that I've just added the patch titled
Input: ims-pcu - validate number of endpoints before using them
to the 4.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
input-ims-pcu-validate-number-of-endpoints-before-using-them.patch
and it can be found in the queue-4.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 1916d319271664241b7aa0cd2b05e32bdb310ce9 Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@xxxxxxxxxx>
Date: Thu, 16 Mar 2017 11:36:13 -0700
Subject: Input: ims-pcu - validate number of endpoints before using them
From: Johan Hovold <johan@xxxxxxxxxx>
commit 1916d319271664241b7aa0cd2b05e32bdb310ce9 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack control-interface endpoints.
Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/input/misc/ims-pcu.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1667,6 +1667,10 @@ static int ims_pcu_parse_cdc_data(struct
return -EINVAL;
alt = pcu->ctrl_intf->cur_altsetting;
+
+ if (alt->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
pcu->ep_ctrl = &alt->endpoint[0].desc;
pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl);
Patches currently in stable-queue which might be from johan@xxxxxxxxxx are
queue-4.10/usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch
queue-4.10/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch
queue-4.10/usb-usbtmc-add-missing-endpoint-sanity-check.patch
queue-4.10/input-cm109-validate-number-of-endpoints-before-using-them.patch
queue-4.10/input-iforce-validate-number-of-endpoints-before-using-them.patch
queue-4.10/mmc-ushc-fix-null-deref-at-probe.patch
queue-4.10/input-kbtab-validate-number-of-endpoints-before-using-them.patch
queue-4.10/usb-usbtmc-fix-probe-error-path.patch
queue-4.10/input-sur40-validate-number-of-endpoints-before-using-them.patch
queue-4.10/uwb-i1480-dfu-fix-null-deref-at-probe.patch
queue-4.10/input-hanwang-validate-number-of-endpoints-before-using-them.patch
queue-4.10/usb-idmouse-fix-null-deref-at-probe.patch
queue-4.10/uwb-hwa-rc-fix-null-deref-at-probe.patch
queue-4.10/usb-lvtest-fix-null-deref-at-probe.patch
queue-4.10/input-yealink-validate-number-of-endpoints-before-using-them.patch
queue-4.10/usb-serial-qcserial-add-dell-dw5811e.patch
queue-4.10/usb-uss720-fix-null-deref-at-probe.patch
queue-4.10/usb-wusbcore-fix-null-deref-at-probe.patch