* [PATCH] mct_u232: sanity checking in probe
@ 2016-03-17 10:38 Oliver Neukum
2016-03-17 14:47 ` Johan Hovold
0 siblings, 1 reply; 6+ messages in thread
From: Oliver Neukum @ 2016-03-17 10:38 UTC (permalink / raw)
To: linux-usb, johan; +Cc: Oliver Neukum, Oliver Neukum, stable
An attack using the lack of sanity checking in probe
is known. This patch checks for the existance of a
second port.
CVE-2016-3136
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
---
drivers/usb/serial/mct_u232.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index fd707d6..d6a36b1 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
{
struct mct_u232_private *priv;
+ /* check first to simplify error handling */
+ if (!port->serial->port[1])
+ return -ENODEV;
+
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
--
2.1.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] mct_u232: sanity checking in probe
2016-03-17 10:38 [PATCH] mct_u232: sanity checking in probe Oliver Neukum
@ 2016-03-17 14:47 ` Johan Hovold
2016-03-21 12:38 ` Oliver Neukum
0 siblings, 1 reply; 6+ messages in thread
From: Johan Hovold @ 2016-03-17 14:47 UTC (permalink / raw)
To: Oliver Neukum; +Cc: linux-usb, johan, stable
On Thu, Mar 17, 2016 at 11:38:42AM +0100, Oliver Neukum wrote:
> An attack using the lack of sanity checking in probe
> is known. This patch checks for the existance of a
> second port.
> CVE-2016-3136
>
> Signed-off-by: Oliver Neukum <ONeukum@suse.com>
> CC: stable@vger.kernel.org
> ---
> drivers/usb/serial/mct_u232.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
> index fd707d6..d6a36b1 100644
> --- a/drivers/usb/serial/mct_u232.c
> +++ b/drivers/usb/serial/mct_u232.c
> @@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
> {
> struct mct_u232_private *priv;
>
> + /* check first to simplify error handling */
> + if (!port->serial->port[1])
> + return -ENODEV;
> +
This looks like you just resent v1 (again, please include the revision
in the mail Subject).
Thanks,
Johan
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] mct_u232: sanity checking in probe
2016-03-17 14:47 ` Johan Hovold
@ 2016-03-21 12:38 ` Oliver Neukum
0 siblings, 0 replies; 6+ messages in thread
From: Oliver Neukum @ 2016-03-21 12:38 UTC (permalink / raw)
To: Johan Hovold; +Cc: linux-usb, stable
On Thu, 2016-03-17 at 10:47 -0400, Johan Hovold wrote:
> This looks like you just resent v1 (again, please include the revision
> in the mail Subject).
Indeed. Wrong directory.
Sorry
Oliver
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] mct_u232: sanity checking in probe
@ 2016-03-21 12:37 Oliver Neukum
0 siblings, 0 replies; 6+ messages in thread
From: Oliver Neukum @ 2016-03-21 12:37 UTC (permalink / raw)
To: linux-usb, johan; +Cc: Oliver Neukum, Oliver Neukum, stable
An attack using the lack of sanity checking in probe
is known. This patch checks for the existance of a
second port.
CVE-2016-3136
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
v1 - add sanity check for presence of a second port
v2 - add sanity check for an interrupt endpoint
---
drivers/usb/serial/mct_u232.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index 4446b8d..3e64538 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
{
struct mct_u232_private *priv;
+ /* check first to simplify error handling */
+ if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb)
+ return -ENODEV;
+
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
--
2.1.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] mct_u232: sanity checking in probe
2016-03-16 13:23 Oliver Neukum
@ 2016-03-16 14:34 ` Johan Hovold
0 siblings, 0 replies; 6+ messages in thread
From: Johan Hovold @ 2016-03-16 14:34 UTC (permalink / raw)
To: Oliver Neukum; +Cc: linux-usb, johan, stable
On Wed, Mar 16, 2016 at 02:23:33PM +0100, Oliver Neukum wrote:
> An attack using the lack of sanity checking in probe
> is known. This patch checks for the existance of a
> second port.
> CVE-2016-3136
>
> Signed-off-by: Oliver Neukum <ONeukum@suse.com>
> CC: stable@vger.kernel.org
> ---
> drivers/usb/serial/mct_u232.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
> index fd707d6..d6a36b1 100644
> --- a/drivers/usb/serial/mct_u232.c
> +++ b/drivers/usb/serial/mct_u232.c
> @@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
> {
> struct mct_u232_private *priv;
>
> + /* check first to simplify error handling */
> + if (!port->serial->port[1])
> + return -ENODEV;
> +
This check is not sufficient as the second port's interrupt-in urb is
also unconditionally dereferenced below. Care to fix that up?
Ideally the existence of a second interrupt-in urb should have been
verified already at interface probe. But we can clean that up later.
> priv = kzalloc(sizeof(*priv), GFP_KERNEL);
> if (!priv)
> return -ENOMEM;
Thanks,
Johan
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] mct_u232: sanity checking in probe
@ 2016-03-16 13:23 Oliver Neukum
2016-03-16 14:34 ` Johan Hovold
0 siblings, 1 reply; 6+ messages in thread
From: Oliver Neukum @ 2016-03-16 13:23 UTC (permalink / raw)
To: linux-usb, johan; +Cc: Oliver Neukum, Oliver Neukum, stable
An attack using the lack of sanity checking in probe
is known. This patch checks for the existance of a
second port.
CVE-2016-3136
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
---
drivers/usb/serial/mct_u232.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index fd707d6..d6a36b1 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
{
struct mct_u232_private *priv;
+ /* check first to simplify error handling */
+ if (!port->serial->port[1])
+ return -ENODEV;
+
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
--
2.1.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-03-21 12:38 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-17 10:38 [PATCH] mct_u232: sanity checking in probe Oliver Neukum
2016-03-17 14:47 ` Johan Hovold
2016-03-21 12:38 ` Oliver Neukum
-- strict thread matches above, loose matches on Subject: below --
2016-03-21 12:37 Oliver Neukum
2016-03-16 13:23 Oliver Neukum
2016-03-16 14:34 ` Johan Hovold
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.