From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,URIBL_SBL,URIBL_SBL_A autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4609C4360F for ; Tue, 26 Mar 2019 08:20:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BDBBA20830 for ; Tue, 26 Mar 2019 08:20:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730829AbfCZIU6 (ORCPT ); Tue, 26 Mar 2019 04:20:58 -0400 Received: from mail-qt1-f194.google.com ([209.85.160.194]:46156 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726042AbfCZIU6 (ORCPT ); Tue, 26 Mar 2019 04:20:58 -0400 Received: by mail-qt1-f194.google.com with SMTP id z17so13478205qts.13; Tue, 26 Mar 2019 01:20:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=01AgOD1FiCLKydD75Ls4KyfhgM8ZPlrxuRYuNZhSbKQ=; b=EE1eCYXL/+0kQkWh/mZW4sUnKJmdEUyAchKybHCSUZ0J5dVwXgj2bXV54j79Uw/POH hMFBBDwEsChI997LGvYh2oDkSC04EDWuJ4bYibXJAU7G4/zPXQerPaelBqjmRH/+HVt6 DlGP42p1mSfrFdjii1/Nr34o8bnASz3aU9cRaxQzjM7FSUwPRwPgoaF8SJ5ESuyZ/Blo CTDaiKz3zpWoBGfGCafUZBfFNZ349J/HT57oXeSMsGnkcuVDUGZSL5sIbG7dcNGkiLso EzbWDNAho3FW6slYCZXSoYaI7Jvca+LEOh1oQpXx+6P8L2f6F9MU8iFFunxzk9hQ5eqO 0L3w== X-Gm-Message-State: APjAAAXkkuOWmgTfVGqzttZlPkmZzdXAebQV3K/rVdVzTJPeShsvK9l5 bNOmKQ39TC9h049M1oU1LaJvM/th21ajeakNqME= X-Google-Smtp-Source: APXvYqxDn3JoS0wBdQHJaiDBxxOTEI6L/B7mKWWAO6MWPzivdQEVF+jYX6kcpCo5jMoKleOvkOitJcGLpFHXwQJUpsc= X-Received: by 2002:a0c:b501:: with SMTP id d1mr24804782qve.115.1553588457049; Tue, 26 Mar 2019 01:20:57 -0700 (PDT) MIME-Version: 1.0 References: <20190322154425.3852517-1-arnd@arndb.de> <20190322154425.3852517-5-arnd@arndb.de> <20190326011319.GC29420@kroah.com> In-Reply-To: <20190326011319.GC29420@kroah.com> From: Arnd Bergmann Date: Tue, 26 Mar 2019 09:20:40 +0100 Message-ID: Subject: Re: [BACKPORT 4.4.y 04/25] USB: iowarrior: fix oops with malicious USB descriptors To: Greg Kroah-Hartman Cc: "# 3.4.x" , Kees Cook , Sebastian Andrzej Siewior , "Gustavo A. R. Silva" , Josh Boyer , Ralf Spenneberg , USB list , Linux Kernel Mailing List , Chunyan Zhang , Baolin Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 26, 2019 at 2:23 AM Greg Kroah-Hartman wrote: > > On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote: > > From: Josh Boyer > > > > The iowarrior driver expects at least one valid endpoint. If given > > malicious descriptors that specify 0 for the number of endpoints, > > it will crash in the probe function. Ensure there is at least > > one endpoint on the interface before using it. > > > > The full report of this issue can be found here: > > http://seclists.org/bugtraq/2016/Mar/87 > > > > Reported-by: Ralf Spenneberg > > Cc: stable > > Signed-off-by: Josh Boyer > > Signed-off-by: Greg Kroah-Hartman > > (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0) > > Signed-off-by: Arnd Bergmann > > --- > > drivers/usb/misc/iowarrior.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > This commit has been in the tree for a long time. It was in the 4.4.7 > release, back in April 2016. And then it was reverted in commit > b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke > systems. So why add it back, the correct functionality should be there > today, right? Sorry I missed that history. The script I used to identify patches noticed that this patch was not applied, but I did not have a check for already- reverted patches. Chunyan, Baolin: it seems the spreadtrum 4.4 kernel got this wrong as well, by backporting the patch again on top of 4.4.172. Can you check the latest internal version for this? Arnd From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [BACKPORT,4.4.y,04/25] USB: iowarrior: fix oops with malicious USB descriptors From: Arnd Bergmann Message-Id: Date: Tue, 26 Mar 2019 09:20:40 +0100 To: Greg Kroah-Hartman Cc: "# 3.4.x" , Kees Cook , Sebastian Andrzej Siewior , "Gustavo A. R. Silva" , Josh Boyer , Ralf Spenneberg , USB list , Linux Kernel Mailing List , Chunyan Zhang , Baolin Wang List-ID: T24gVHVlLCBNYXIgMjYsIDIwMTkgYXQgMjoyMyBBTSBHcmVnIEtyb2FoLUhhcnRtYW4KPGdyZWdr aEBsaW51eGZvdW5kYXRpb24ub3JnPiB3cm90ZToKPgo+IE9uIEZyaSwgTWFyIDIyLCAyMDE5IGF0 IDA0OjQzOjU1UE0gKzAxMDAsIEFybmQgQmVyZ21hbm4gd3JvdGU6Cj4gPiBGcm9tOiBKb3NoIEJv eWVyIDxqd2JveWVyQGZlZG9yYXByb2plY3Qub3JnPgo+ID4KPiA+IFRoZSBpb3dhcnJpb3IgZHJp dmVyIGV4cGVjdHMgYXQgbGVhc3Qgb25lIHZhbGlkIGVuZHBvaW50LiAgSWYgZ2l2ZW4KPiA+IG1h bGljaW91cyBkZXNjcmlwdG9ycyB0aGF0IHNwZWNpZnkgMCBmb3IgdGhlIG51bWJlciBvZiBlbmRw b2ludHMsCj4gPiBpdCB3aWxsIGNyYXNoIGluIHRoZSBwcm9iZSBmdW5jdGlvbi4gIEVuc3VyZSB0 aGVyZSBpcyBhdCBsZWFzdAo+ID4gb25lIGVuZHBvaW50IG9uIHRoZSBpbnRlcmZhY2UgYmVmb3Jl IHVzaW5nIGl0Lgo+ID4KPiA+IFRoZSBmdWxsIHJlcG9ydCBvZiB0aGlzIGlzc3VlIGNhbiBiZSBm b3VuZCBoZXJlOgo+ID4gaHR0cDovL3NlY2xpc3RzLm9yZy9idWd0cmFxLzIwMTYvTWFyLzg3Cj4g Pgo+ID4gUmVwb3J0ZWQtYnk6IFJhbGYgU3Blbm5lYmVyZyA8cmFsZkBzcGVubmViZXJnLm5ldD4K PiA+IENjOiBzdGFibGUgPHN0YWJsZUB2Z2VyLmtlcm5lbC5vcmc+Cj4gPiBTaWduZWQtb2ZmLWJ5 OiBKb3NoIEJveWVyIDxqd2JveWVyQGZlZG9yYXByb2plY3Qub3JnPgo+ID4gU2lnbmVkLW9mZi1i eTogR3JlZyBLcm9haC1IYXJ0bWFuIDxncmVna2hAbGludXhmb3VuZGF0aW9uLm9yZz4KPiA+IChj aGVycnkgcGlja2VkIGZyb20gY29tbWl0IDRlYzBlZjNhODIxMjVlZmMzNjE3MzA2MmE1MDYyNDU1 MGE5MDBhZTApCj4gPiBTaWduZWQtb2ZmLWJ5OiBBcm5kIEJlcmdtYW5uIDxhcm5kQGFybmRiLmRl Pgo+ID4gLS0tCj4gPiAgZHJpdmVycy91c2IvbWlzYy9pb3dhcnJpb3IuYyB8IDYgKysrKysrCj4g PiAgMSBmaWxlIGNoYW5nZWQsIDYgaW5zZXJ0aW9ucygrKQo+Cj4gVGhpcyBjb21taXQgaGFzIGJl ZW4gaW4gdGhlIHRyZWUgZm9yIGEgbG9uZyB0aW1lLiAgSXQgd2FzIGluIHRoZSA0LjQuNwo+IHJl bGVhc2UsIGJhY2sgaW4gQXByaWwgMjAxNi4gIEFuZCB0aGVuIGl0IHdhcyByZXZlcnRlZCBpbiBj b21taXQKPiBiNzMyMWU4MWZjMzYgKCJVU0I6IGlvd2FycmlvcjogZml4IE5VTEwtZGVyZWYgYXQg cHJvYmUiKSBhcyBpdCBicm9rZQo+IHN5c3RlbXMuICBTbyB3aHkgYWRkIGl0IGJhY2ssIHRoZSBj b3JyZWN0IGZ1bmN0aW9uYWxpdHkgc2hvdWxkIGJlIHRoZXJlCj4gdG9kYXksIHJpZ2h0PwoKU29y cnkgSSBtaXNzZWQgdGhhdCBoaXN0b3J5LiBUaGUgc2NyaXB0IEkgdXNlZCB0byBpZGVudGlmeSBw YXRjaGVzIG5vdGljZWQKdGhhdCB0aGlzIHBhdGNoIHdhcyBub3QgYXBwbGllZCwgYnV0IEkgZGlk IG5vdCBoYXZlIGEgY2hlY2sgZm9yIGFscmVhZHktCnJldmVydGVkIHBhdGNoZXMuCgpDaHVueWFu LCBCYW9saW46IGl0IHNlZW1zIHRoZSBzcHJlYWR0cnVtIDQuNCBrZXJuZWwgZ290IHRoaXMgd3Jv bmcKYXMgd2VsbCwgYnkgYmFja3BvcnRpbmcgdGhlIHBhdGNoIGFnYWluIG9uIHRvcCBvZiA0LjQu MTcyLiBDYW4geW91IGNoZWNrCnRoZSBsYXRlc3QgaW50ZXJuYWwgdmVyc2lvbiBmb3IgdGhpcz8K CiAgICAgICBBcm5kCg==