From: Alan Stern <stern@rowland.harvard.edu>
To: Vladis Dronov <vdronov@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Oliver Neukum <oneukum@suse.com>,
Hans de Goede <hdegoede@redhat.com>, <syzkaller@googlegroups.com>,
<linux-usb@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
stable <stable@vger.kernel.org>
Subject: Re: [PATCH] usb: usbfs: fix crash in check_ctrlrecip()->usb_find_alt_setting()
Date: Tue, 25 Sep 2018 10:14:31 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1809251012040.1517-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <20180925122242.10950-1-vdronov@redhat.com>
On Tue, 25 Sep 2018, Vladis Dronov wrote:
> ps->dev->actconfig can be NULL and cause NULL-deref in usb_find_alt_setting()
> before c9a4cb204e9e. fix this anyway by checking that ps->dev->actconfig is not
> NULL, so usb_find_alt_setting() is not called with a known-bad argument.
What reason is there for having two different fixes for the same bug?
This one isn't going to get into any mainline trees that don't already
have c9a4cb204e9e.
Alan Stern
> Signed-off-by: Vladis Dronov <vdronov@redhat.com>
> Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com
> ---
> drivers/usb/core/devio.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index 6ce77b33da61..26047620b003 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -824,7 +824,7 @@ static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
> * class specification, which we always want to allow as it is used
> * to query things like ink level, etc.
> */
> - if (requesttype == 0xa1 && request == 0) {
> + if (requesttype == 0xa1 && request == 0 && ps->dev->actconfig) {
> alt_setting = usb_find_alt_setting(ps->dev->actconfig,
> index >> 8, index & 0xff);
> if (alt_setting
next prev parent reply other threads:[~2018-09-25 14:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-25 12:22 [PATCH] usb: usbfs: fix crash in check_ctrlrecip()->usb_find_alt_setting() Vladis Dronov
2018-09-25 14:14 ` Alan Stern [this message]
2018-09-25 14:55 ` Vladis Dronov
2018-09-25 15:15 ` Alan Stern
2018-09-25 15:17 ` Andrey Konovalov
2018-09-25 17:54 ` Alan Stern
2018-09-25 18:55 ` Vladis Dronov
2018-09-25 20:44 ` Alan Stern
2018-09-26 8:22 ` Vladis Dronov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44L0.1809251012040.1517-100000@iolanthe.rowland.org \
--to=stern@rowland.harvard.edu \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=vdronov@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).