From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Arnd Bergmann <arnd@arndb.de>
Cc: stable@vger.kernel.org, Kees Cook <keescook@chromium.org>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Josh Boyer <jwboyer@fedoraproject.org>,
Ralf Spenneberg <ralf@spenneberg.net>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [BACKPORT 4.4.y 04/25] USB: iowarrior: fix oops with malicious USB descriptors
Date: Tue, 26 Mar 2019 10:13:19 +0900 [thread overview]
Message-ID: <20190326011319.GC29420@kroah.com> (raw)
In-Reply-To: <20190322154425.3852517-5-arnd@arndb.de>
On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote:
> From: Josh Boyer <jwboyer@fedoraproject.org>
>
> The iowarrior driver expects at least one valid endpoint. If given
> malicious descriptors that specify 0 for the number of endpoints,
> it will crash in the probe function. Ensure there is at least
> one endpoint on the interface before using it.
>
> The full report of this issue can be found here:
> http://seclists.org/bugtraq/2016/Mar/87
>
> Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0)
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> drivers/usb/misc/iowarrior.c | 6 ++++++
> 1 file changed, 6 insertions(+)
This commit has been in the tree for a long time. It was in the 4.4.7
release, back in April 2016. And then it was reverted in commit
b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke
systems. So why add it back, the correct functionality should be there
today, right?
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Arnd Bergmann <arnd@arndb.de>
Cc: stable@vger.kernel.org, Kees Cook <keescook@chromium.org>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Josh Boyer <jwboyer@fedoraproject.org>,
Ralf Spenneberg <ralf@spenneberg.net>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [BACKPORT,4.4.y,04/25] USB: iowarrior: fix oops with malicious USB descriptors
Date: Tue, 26 Mar 2019 10:13:19 +0900 [thread overview]
Message-ID: <20190326011319.GC29420@kroah.com> (raw)
On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote:
> From: Josh Boyer <jwboyer@fedoraproject.org>
>
> The iowarrior driver expects at least one valid endpoint. If given
> malicious descriptors that specify 0 for the number of endpoints,
> it will crash in the probe function. Ensure there is at least
> one endpoint on the interface before using it.
>
> The full report of this issue can be found here:
> http://seclists.org/bugtraq/2016/Mar/87
>
> Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0)
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> drivers/usb/misc/iowarrior.c | 6 ++++++
> 1 file changed, 6 insertions(+)
This commit has been in the tree for a long time. It was in the 4.4.7
release, back in April 2016. And then it was reverted in commit
b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke
systems. So why add it back, the correct functionality should be there
today, right?
thanks,
greg k-h
next prev parent reply other threads:[~2019-03-26 1:23 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-22 15:43 [BACKPORT 4.4.y 00/25] candidates from spreadtrum 4.4 product kernel Arnd Bergmann
2019-03-22 15:43 ` Arnd Bergmann
2019-03-22 15:43 ` Arnd Bergmann
2019-03-22 15:43 ` Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 01/25] mmc: pwrseq: constify mmc_pwrseq_ops structures Arnd Bergmann
2019-03-26 1:08 ` Greg KH
2019-03-26 6:44 ` Julia Lawall
2019-03-26 8:11 ` Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 02/25] ALSA: compress: add support for 32bit calls in a 64bit kernel Arnd Bergmann
2019-03-26 1:09 ` Greg KH
2019-03-26 7:55 ` Arnd Bergmann
2019-03-30 9:40 ` Greg KH
2019-03-22 15:43 ` [BACKPORT 4.4.y 03/25] mmc: pwrseq_simple: Make reset-gpios optional to match doc Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 04/25] USB: iowarrior: fix oops with malicious USB descriptors Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT,4.4.y,04/25] " Arnd Bergmann
2019-03-26 1:13 ` Greg Kroah-Hartman [this message]
2019-03-26 1:13 ` Greg Kroah-Hartman
2019-03-26 8:20 ` [BACKPORT 4.4.y 04/25] " Arnd Bergmann
2019-03-26 8:20 ` [BACKPORT,4.4.y,04/25] " Arnd Bergmann
2019-03-26 9:35 ` [BACKPORT 4.4.y 04/25] " Baolin Wang
2019-03-26 9:35 ` [BACKPORT,4.4.y,04/25] " Baolin Wang
2019-03-26 9:47 ` [BACKPORT 4.4.y 04/25] " 翟京 (Orson Zhai)
2019-03-26 9:47 ` [BACKPORT,4.4.y,04/25] " 翟京 (Orson Zhai)
2019-03-22 15:43 ` [BACKPORT 4.4.y 05/25] mmc: debugfs: Add a restriction to mmc debugfs clock setting Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 06/25] mmc: make MAN_BKOPS_EN message a debug Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 07/25] mmc: sanitize 'bus width' in debug output Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 08/25] mmc: core: shut up "voltage-ranges unspecified" pr_info() Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 09/25] usb: dwc3: gadget: Fix suspend/resume during device mode Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT,4.4.y,09/25] " Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 10/25] arm64: mm: Add trace_irqflags annotations to do_debug_exception() Arnd Bergmann
2019-03-22 15:44 ` Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 11/25] mmc: core: fix using wrong io voltage if mmc_select_hs200 fails Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 12/25] mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 13/25] extcon: usb-gpio: Don't miss event during suspend/resume Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 14/25] kbuild: setlocalversion: print error to STDERR Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 15/25] usb: gadget: composite: fix dereference after null check coverify warning Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT,4.4.y,15/25] " Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 16/25] usb: gadget: Add the gserial port checking in gs_start_tx() Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT,4.4.y,16/25] " Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 17/25] mmc: core: don't try to switch block size for dual rate mode Arnd Bergmann
2019-03-26 1:27 ` Greg KH
2019-03-26 8:14 ` Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 18/25] tcp/dccp: drop SYN packets if accept queue is full Arnd Bergmann
2019-03-22 15:44 ` Arnd Bergmann
2019-03-26 1:21 ` Greg KH
2019-03-26 1:21 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 19/25] serial: sprd: adjust TIMEOUT to a big value Arnd Bergmann
2019-03-26 1:21 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 20/25] Hang/soft lockup in d_invalidate with simultaneous calls Arnd Bergmann
2019-03-26 1:30 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 21/25] arm64: traps: disable irq in die() Arnd Bergmann
2019-03-22 15:44 ` Arnd Bergmann
2019-03-26 1:31 ` Greg KH
2019-03-26 1:31 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 22/25] usb: renesas_usbhs: gadget: fix unused-but-set-variable warning Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT,4.4.y,22/25] " Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 23/25] serial: sprd: clear timeout interrupt only rather than all interrupts Arnd Bergmann
2019-03-26 1:34 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 24/25] lib/int_sqrt: optimize small argument Arnd Bergmann
2019-03-26 1:36 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 25/25] USB: core: only clean up what we allocated Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT,4.4.y,25/25] " Arnd Bergmann
2019-03-26 1:36 ` [BACKPORT 4.4.y 25/25] " Greg Kroah-Hartman
2019-03-26 1:36 ` [BACKPORT,4.4.y,25/25] " Greg Kroah-Hartman
2019-03-26 2:18 ` [BACKPORT 4.4.y 00/25] candidates from spreadtrum 4.4 product kernel Greg KH
2019-03-26 2:18 ` Greg KH
2019-03-26 2:18 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190326011319.GC29420@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arnd@arndb.de \
--cc=bigeasy@linutronix.de \
--cc=gustavo@embeddedor.com \
--cc=jwboyer@fedoraproject.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=ralf@spenneberg.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.