All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	kernel-team@lists.ubuntu.com
Cc: Vladis Dronov <vdronov@redhat.com>,
	Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
	Kamal Mostafa <kamal@canonical.com>
Subject: [PATCH 3.13.y-ckt 03/30] [media] usbvision: fix crash on detecting device with invalid configuration
Date: Wed, 10 Feb 2016 13:41:41 -0800	[thread overview]
Message-ID: <1455140528-17076-4-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1455140528-17076-1-git-send-email-kamal@canonical.com>

3.13.11-ckt35 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Vladis Dronov <vdronov@redhat.com>

commit fa52bd506f274b7619955917abfde355e3d19ffe upstream.

The usbvision driver crashes when a specially crafted usb device with invalid
number of interfaces or endpoints is detected. This fix adds checks that the
device has proper configuration expected by the driver.

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
index 72711a1..ad5070a 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1546,9 +1546,23 @@ static int usbvision_probe(struct usb_interface *intf,
 
 	if (usbvision_device_data[model].interface >= 0)
 		interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
-	else
+	else if (ifnum < dev->actconfig->desc.bNumInterfaces)
 		interface = &dev->actconfig->interface[ifnum]->altsetting[0];
+	else {
+		dev_err(&intf->dev, "interface %d is invalid, max is %d\n",
+		    ifnum, dev->actconfig->desc.bNumInterfaces - 1);
+		ret = -ENODEV;
+		goto err_usb;
+	}
+
+	if (interface->desc.bNumEndpoints < 2) {
+		dev_err(&intf->dev, "interface %d has %d endpoints, but must"
+		    " have minimum 2\n", ifnum, interface->desc.bNumEndpoints);
+		ret = -ENODEV;
+		goto err_usb;
+	}
 	endpoint = &interface->endpoint[1].desc;
+
 	if (!usb_endpoint_xfer_isoc(endpoint)) {
 		dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n",
 		    __func__, ifnum);
-- 
1.9.1

  parent reply	other threads:[~2016-02-10 21:50 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-10 21:41 [3.13.y-ckt stable] Linux 3.13.11-ckt35 stable review Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 01/30] [media] usbvision fix overflow of interfaces array Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 02/30] [media] usbvision: fix leak of usb_dev on failure paths in usbvision_probe() Kamal Mostafa
2016-02-10 21:41 ` Kamal Mostafa [this message]
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 04/30] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 05/30] USB: serial: visor: fix crash on detecting device without write_urbs Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 06/30] ASN.1: Fix non-match detection failure on data overrun Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 07/30] qeth: initialize net_device with carrier off Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 08/30] iio: adis_buffer: Fix out-of-bounds memory access Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 09/30] x86/irq: Call chip->irq_set_affinity in proper context Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 10/30] usb: cdc-acm: handle unlinked urb in acm read callback Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 11/30] usb: cdc-acm: send zero packet for intel 7260 modem Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 12/30] cdc-acm:exclude Samsung phone 04e8:685d Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 13/30] usb: hub: do not clear BOS field during reset device Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 14/30] USB: cp210x: add ID for IAI USB to RS485 adaptor Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 15/30] USB: visor: fix null-deref at probe Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 16/30] USB: serial: option: Adding support for Telit LE922 Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 17/30] ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup() Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 18/30] ALSA: seq: Degrade the error message for too many opens Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 19/30] USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 20/30] USB: option: fix Cinterion AHxx enumeration Kamal Mostafa
2016-02-10 21:41 ` [PATCH 3.13.y-ckt 21/30] ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures Kamal Mostafa
2016-02-10 21:42 ` [PATCH 3.13.y-ckt 22/30] ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay Kamal Mostafa
2016-02-10 21:42 ` [PATCH 3.13.y-ckt 23/30] arm64: errata: Add -mpc-relative-literal-loads to build flags Kamal Mostafa
2016-02-10 21:42 ` [PATCH 3.13.y-ckt 24/30] SCSI: fix crashes in sd and sr runtime PM Kamal Mostafa
2016-02-10 21:42 ` [PATCH 3.13.y-ckt 25/30] n_tty: Fix unsafe reference to "other" ldisc Kamal Mostafa
2016-02-10 21:42 ` [PATCH 3.13.y-ckt 26/30] ALSA: dummy: Disable switching timer backend via sysfs Kamal Mostafa
2016-02-10 21:42 ` [PATCH 3.13.y-ckt 27/30] drm/vmwgfx: respect 'nomodeset' Kamal Mostafa
2016-02-10 21:42 ` [PATCH 3.13.y-ckt 28/30] x86/mm/pat: Avoid truncation when converting cpa->numpages to address Kamal Mostafa
2016-02-10 21:42 ` [PATCH 3.13.y-ckt 29/30] perf annotate browser: Fix behaviour of Shift-Tab with nothing focussed Kamal Mostafa
2016-02-10 21:42 ` [PATCH 3.13.y-ckt 30/30] powerpc/perf: Remove PPMU_HAS_SSLOT flag for Power8 Kamal Mostafa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1455140528-17076-4-git-send-email-kamal@canonical.com \
    --to=kamal@canonical.com \
    --cc=kernel-team@lists.ubuntu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mchehab@osg.samsung.com \
    --cc=stable@vger.kernel.org \
    --cc=vdronov@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.