* [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe @ 2017-03-13 12:49 Johan Hovold 2017-03-13 13:42 ` Guenter Roeck 2017-03-13 17:16 ` Guenter Roeck 0 siblings, 2 replies; 11+ messages in thread From: Johan Hovold @ 2017-03-13 12:49 UTC (permalink / raw) To: Wim Van Sebroeck Cc: Guenter Roeck, linux-watchdog, linux-kernel, Johan Hovold, stable Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer should a malicious device lack endpoints. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> --- drivers/watchdog/pcwd_usb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/watchdog/pcwd_usb.c b/drivers/watchdog/pcwd_usb.c index 99ebf6ea3de6..5615f4013924 100644 --- a/drivers/watchdog/pcwd_usb.c +++ b/drivers/watchdog/pcwd_usb.c @@ -630,6 +630,9 @@ static int usb_pcwd_probe(struct usb_interface *interface, return -ENODEV; } + if (iface_desc->desc.bNumEndpoints < 1) + return -ENODEV; + /* check out the endpoint: it has to be Interrupt & IN */ endpoint = &iface_desc->endpoint[0].desc; -- 2.12.0 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe 2017-03-13 12:49 [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe Johan Hovold @ 2017-03-13 13:42 ` Guenter Roeck 2017-03-13 14:17 ` Johan Hovold 2017-03-13 17:16 ` Guenter Roeck 1 sibling, 1 reply; 11+ messages in thread From: Guenter Roeck @ 2017-03-13 13:42 UTC (permalink / raw) To: Johan Hovold, Wim Van Sebroeck; +Cc: linux-watchdog, linux-kernel, stable On 03/13/2017 05:49 AM, Johan Hovold wrote: > Make sure to check the number of endpoints to avoid dereferencing a > NULL-pointer should a malicious device lack endpoints. > Is this theory or was it actually observed ? Thanks, Guenter > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Johan Hovold <johan@kernel.org> > --- > drivers/watchdog/pcwd_usb.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/watchdog/pcwd_usb.c b/drivers/watchdog/pcwd_usb.c > index 99ebf6ea3de6..5615f4013924 100644 > --- a/drivers/watchdog/pcwd_usb.c > +++ b/drivers/watchdog/pcwd_usb.c > @@ -630,6 +630,9 @@ static int usb_pcwd_probe(struct usb_interface *interface, > return -ENODEV; > } > > + if (iface_desc->desc.bNumEndpoints < 1) > + return -ENODEV; > + > /* check out the endpoint: it has to be Interrupt & IN */ > endpoint = &iface_desc->endpoint[0].desc; > > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe 2017-03-13 13:42 ` Guenter Roeck @ 2017-03-13 14:17 ` Johan Hovold 2017-03-13 17:15 ` Guenter Roeck 0 siblings, 1 reply; 11+ messages in thread From: Johan Hovold @ 2017-03-13 14:17 UTC (permalink / raw) To: Guenter Roeck Cc: Johan Hovold, Wim Van Sebroeck, linux-watchdog, linux-kernel, stable, linux-usb [ Adding linux-usb which I forgot to CC for this one ] On Mon, Mar 13, 2017 at 06:42:45AM -0700, Guenter Roeck wrote: > On 03/13/2017 05:49 AM, Johan Hovold wrote: > > Make sure to check the number of endpoints to avoid dereferencing a > > NULL-pointer should a malicious device lack endpoints. > > > > Is this theory or was it actually observed ? This was found through inspection, but creating a USB device to crash a host with this driver enabled is easily done. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > Cc: stable <stable@vger.kernel.org> > > Signed-off-by: Johan Hovold <johan@kernel.org> > > --- > > drivers/watchdog/pcwd_usb.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/watchdog/pcwd_usb.c b/drivers/watchdog/pcwd_usb.c > > index 99ebf6ea3de6..5615f4013924 100644 > > --- a/drivers/watchdog/pcwd_usb.c > > +++ b/drivers/watchdog/pcwd_usb.c > > @@ -630,6 +630,9 @@ static int usb_pcwd_probe(struct usb_interface *interface, > > return -ENODEV; > > } > > > > + if (iface_desc->desc.bNumEndpoints < 1) > > + return -ENODEV; > > + > > /* check out the endpoint: it has to be Interrupt & IN */ > > endpoint = &iface_desc->endpoint[0].desc; > > > > Johan ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe 2017-03-13 14:17 ` Johan Hovold @ 2017-03-13 17:15 ` Guenter Roeck 0 siblings, 0 replies; 11+ messages in thread From: Guenter Roeck @ 2017-03-13 17:15 UTC (permalink / raw) To: Johan Hovold Cc: Wim Van Sebroeck, linux-watchdog, linux-kernel, stable, linux-usb On Mon, Mar 13, 2017 at 03:17:39PM +0100, Johan Hovold wrote: > [ Adding linux-usb which I forgot to CC for this one ] > > On Mon, Mar 13, 2017 at 06:42:45AM -0700, Guenter Roeck wrote: > > On 03/13/2017 05:49 AM, Johan Hovold wrote: > > > Make sure to check the number of endpoints to avoid dereferencing a > > > NULL-pointer should a malicious device lack endpoints. > > > > > > > Is this theory or was it actually observed ? > > This was found through inspection, but creating a USB device to crash a > host with this driver enabled is easily done. > Ok, makes sense. I see other drivers doing a similar check. Guenter > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > > Cc: stable <stable@vger.kernel.org> > > > Signed-off-by: Johan Hovold <johan@kernel.org> > > > --- > > > drivers/watchdog/pcwd_usb.c | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/drivers/watchdog/pcwd_usb.c b/drivers/watchdog/pcwd_usb.c > > > index 99ebf6ea3de6..5615f4013924 100644 > > > --- a/drivers/watchdog/pcwd_usb.c > > > +++ b/drivers/watchdog/pcwd_usb.c > > > @@ -630,6 +630,9 @@ static int usb_pcwd_probe(struct usb_interface *interface, > > > return -ENODEV; > > > } > > > > > > + if (iface_desc->desc.bNumEndpoints < 1) > > > + return -ENODEV; > > > + > > > /* check out the endpoint: it has to be Interrupt & IN */ > > > endpoint = &iface_desc->endpoint[0].desc; > > > > > > > > Johan ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe 2017-03-13 12:49 [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe Johan Hovold 2017-03-13 13:42 ` Guenter Roeck @ 2017-03-13 17:16 ` Guenter Roeck 2017-04-03 8:36 ` Johan Hovold 1 sibling, 1 reply; 11+ messages in thread From: Guenter Roeck @ 2017-03-13 17:16 UTC (permalink / raw) To: Johan Hovold; +Cc: Wim Van Sebroeck, linux-watchdog, linux-kernel On Mon, Mar 13, 2017 at 01:49:45PM +0100, Johan Hovold wrote: > Make sure to check the number of endpoints to avoid dereferencing a > NULL-pointer should a malicious device lack endpoints. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Note that I dropped Cc: stable from my reply since it is not appropriate at this time. Guenter > --- > drivers/watchdog/pcwd_usb.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/watchdog/pcwd_usb.c b/drivers/watchdog/pcwd_usb.c > index 99ebf6ea3de6..5615f4013924 100644 > --- a/drivers/watchdog/pcwd_usb.c > +++ b/drivers/watchdog/pcwd_usb.c > @@ -630,6 +630,9 @@ static int usb_pcwd_probe(struct usb_interface *interface, > return -ENODEV; > } > > + if (iface_desc->desc.bNumEndpoints < 1) > + return -ENODEV; > + > /* check out the endpoint: it has to be Interrupt & IN */ > endpoint = &iface_desc->endpoint[0].desc; > > -- > 2.12.0 > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe 2017-03-13 17:16 ` Guenter Roeck @ 2017-04-03 8:36 ` Johan Hovold 2017-04-03 14:05 ` Guenter Roeck 0 siblings, 1 reply; 11+ messages in thread From: Johan Hovold @ 2017-04-03 8:36 UTC (permalink / raw) To: Guenter Roeck Cc: Johan Hovold, Wim Van Sebroeck, linux-watchdog, linux-kernel On Mon, Mar 13, 2017 at 10:16:33AM -0700, Guenter Roeck wrote: > On Mon, Mar 13, 2017 at 01:49:45PM +0100, Johan Hovold wrote: > > Make sure to check the number of endpoints to avoid dereferencing a > > NULL-pointer should a malicious device lack endpoints. > > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > Cc: stable <stable@vger.kernel.org> > > Signed-off-by: Johan Hovold <johan@kernel.org> > > Reviewed-by: Guenter Roeck <linux@roeck-us.net> Any progress on this one? I noticed you merged it to both the fixes and next branches in your staging tree, Guenter (but it does not show up in linux-next). Will you be sending it on to Linus? Thanks, Johan ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe 2017-04-03 8:36 ` Johan Hovold @ 2017-04-03 14:05 ` Guenter Roeck 2017-05-12 10:36 ` Johan Hovold 0 siblings, 1 reply; 11+ messages in thread From: Guenter Roeck @ 2017-04-03 14:05 UTC (permalink / raw) To: Johan Hovold; +Cc: Wim Van Sebroeck, linux-watchdog, linux-kernel On 04/03/2017 01:36 AM, Johan Hovold wrote: > On Mon, Mar 13, 2017 at 10:16:33AM -0700, Guenter Roeck wrote: >> On Mon, Mar 13, 2017 at 01:49:45PM +0100, Johan Hovold wrote: >>> Make sure to check the number of endpoints to avoid dereferencing a >>> NULL-pointer should a malicious device lack endpoints. >>> >>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") >>> Cc: stable <stable@vger.kernel.org> >>> Signed-off-by: Johan Hovold <johan@kernel.org> >> >> Reviewed-by: Guenter Roeck <linux@roeck-us.net> > > Any progress on this one? I noticed you merged it to both the fixes and > next branches in your staging tree, Guenter (but it does not show up in > linux-next). Will you be sending it on to Linus? > Hi Johan, my watchdog staging trees are inofficial and not in linux-next. Wim is working on setting up a new server which will provide the official staging tree. I asked Wim to push the pending patches. I'll do it if he asks me. Thanks, Guenter ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe 2017-04-03 14:05 ` Guenter Roeck @ 2017-05-12 10:36 ` Johan Hovold 2017-05-12 16:59 ` Guenter Roeck 0 siblings, 1 reply; 11+ messages in thread From: Johan Hovold @ 2017-05-12 10:36 UTC (permalink / raw) To: Guenter Roeck, Wim Van Sebroeck Cc: Johan Hovold, linux-watchdog, linux-kernel Hi Guenter and Wim, On Mon, Apr 03, 2017 at 07:05:46AM -0700, Guenter Roeck wrote: > On 04/03/2017 01:36 AM, Johan Hovold wrote: > > On Mon, Mar 13, 2017 at 10:16:33AM -0700, Guenter Roeck wrote: > >> On Mon, Mar 13, 2017 at 01:49:45PM +0100, Johan Hovold wrote: > >>> Make sure to check the number of endpoints to avoid dereferencing a > >>> NULL-pointer should a malicious device lack endpoints. > >>> > >>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > >>> Cc: stable <stable@vger.kernel.org> > >>> Signed-off-by: Johan Hovold <johan@kernel.org> > >> > >> Reviewed-by: Guenter Roeck <linux@roeck-us.net> > > > > Any progress on this one? I noticed you merged it to both the fixes and > > next branches in your staging tree, Guenter (but it does not show up in > > linux-next). Will you be sending it on to Linus? > my watchdog staging trees are inofficial and not in linux-next. > Wim is working on setting up a new server which will provide the > official staging tree. > > I asked Wim to push the pending patches. I'll do it if he asks me. I noticed Guenter's watchdog branch is now in next, but the patches for 4.12 are still not in mainline. Have you guys decided who will be sending them on to Linus this cycle? Thanks, Johan ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe 2017-05-12 10:36 ` Johan Hovold @ 2017-05-12 16:59 ` Guenter Roeck 2017-05-14 13:05 ` Wim Van Sebroeck 0 siblings, 1 reply; 11+ messages in thread From: Guenter Roeck @ 2017-05-12 16:59 UTC (permalink / raw) To: Johan Hovold; +Cc: Wim Van Sebroeck, linux-watchdog, linux-kernel On Fri, May 12, 2017 at 12:36:27PM +0200, Johan Hovold wrote: > Hi Guenter and Wim, > > On Mon, Apr 03, 2017 at 07:05:46AM -0700, Guenter Roeck wrote: > > On 04/03/2017 01:36 AM, Johan Hovold wrote: > > > On Mon, Mar 13, 2017 at 10:16:33AM -0700, Guenter Roeck wrote: > > >> On Mon, Mar 13, 2017 at 01:49:45PM +0100, Johan Hovold wrote: > > >>> Make sure to check the number of endpoints to avoid dereferencing a > > >>> NULL-pointer should a malicious device lack endpoints. > > >>> > > >>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > >>> Cc: stable <stable@vger.kernel.org> > > >>> Signed-off-by: Johan Hovold <johan@kernel.org> > > >> > > >> Reviewed-by: Guenter Roeck <linux@roeck-us.net> > > > > > > Any progress on this one? I noticed you merged it to both the fixes and > > > next branches in your staging tree, Guenter (but it does not show up in > > > linux-next). Will you be sending it on to Linus? > > > my watchdog staging trees are inofficial and not in linux-next. > > Wim is working on setting up a new server which will provide the > > official staging tree. > > > > I asked Wim to push the pending patches. I'll do it if he asks me. > > I noticed Guenter's watchdog branch is now in next, but the patches for > 4.12 are still not in mainline. Have you guys decided who will be > sending them on to Linus this cycle? > Good question. I had expected Wim to do it, since it is actually his repository which is in linux-next. But you are correct, it isn't upstream. Wim ? Thanks, Guenter ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe 2017-05-12 16:59 ` Guenter Roeck @ 2017-05-14 13:05 ` Wim Van Sebroeck 2017-05-14 13:20 ` Wim Van Sebroeck 0 siblings, 1 reply; 11+ messages in thread From: Wim Van Sebroeck @ 2017-05-14 13:05 UTC (permalink / raw) To: Guenter Roeck; +Cc: Johan Hovold, linux-watchdog, linux-kernel All, > On Fri, May 12, 2017 at 12:36:27PM +0200, Johan Hovold wrote: > > Hi Guenter and Wim, > > > > On Mon, Apr 03, 2017 at 07:05:46AM -0700, Guenter Roeck wrote: > > > On 04/03/2017 01:36 AM, Johan Hovold wrote: > > > > On Mon, Mar 13, 2017 at 10:16:33AM -0700, Guenter Roeck wrote: > > > >> On Mon, Mar 13, 2017 at 01:49:45PM +0100, Johan Hovold wrote: > > > >>> Make sure to check the number of endpoints to avoid dereferencing a > > > >>> NULL-pointer should a malicious device lack endpoints. > > > >>> > > > >>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > > >>> Cc: stable <stable@vger.kernel.org> > > > >>> Signed-off-by: Johan Hovold <johan@kernel.org> > > > >> > > > >> Reviewed-by: Guenter Roeck <linux@roeck-us.net> > > > > > > > > Any progress on this one? I noticed you merged it to both the fixes and > > > > next branches in your staging tree, Guenter (but it does not show up in > > > > linux-next). Will you be sending it on to Linus? > > > > > my watchdog staging trees are inofficial and not in linux-next. > > > Wim is working on setting up a new server which will provide the > > > official staging tree. > > > > > > I asked Wim to push the pending patches. I'll do it if he asks me. > > > > I noticed Guenter's watchdog branch is now in next, but the patches for > > 4.12 are still not in mainline. Have you guys decided who will be > > sending them on to Linus this cycle? > > > Good question. I had expected Wim to do it, since it is actually his > repository which is in linux-next. But you are correct, it isn't upstream. Due to some issues, we (Linus, Guenter and myself) decided that Guenter will sent the pull request this time (which he allready did). Kind regards, Wim. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe 2017-05-14 13:05 ` Wim Van Sebroeck @ 2017-05-14 13:20 ` Wim Van Sebroeck 0 siblings, 0 replies; 11+ messages in thread From: Wim Van Sebroeck @ 2017-05-14 13:20 UTC (permalink / raw) To: Guenter Roeck; +Cc: Johan Hovold, linux-watchdog, linux-kernel All, > > On Fri, May 12, 2017 at 12:36:27PM +0200, Johan Hovold wrote: > > > Hi Guenter and Wim, > > > > > > On Mon, Apr 03, 2017 at 07:05:46AM -0700, Guenter Roeck wrote: > > > > On 04/03/2017 01:36 AM, Johan Hovold wrote: > > > > > On Mon, Mar 13, 2017 at 10:16:33AM -0700, Guenter Roeck wrote: > > > > >> On Mon, Mar 13, 2017 at 01:49:45PM +0100, Johan Hovold wrote: > > > > >>> Make sure to check the number of endpoints to avoid dereferencing a > > > > >>> NULL-pointer should a malicious device lack endpoints. > > > > >>> > > > > >>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > > > >>> Cc: stable <stable@vger.kernel.org> > > > > >>> Signed-off-by: Johan Hovold <johan@kernel.org> > > > > >> > > > > >> Reviewed-by: Guenter Roeck <linux@roeck-us.net> > > > > > > > > > > Any progress on this one? I noticed you merged it to both the fixes and > > > > > next branches in your staging tree, Guenter (but it does not show up in > > > > > linux-next). Will you be sending it on to Linus? > > > > > > > my watchdog staging trees are inofficial and not in linux-next. > > > > Wim is working on setting up a new server which will provide the > > > > official staging tree. > > > > > > > > I asked Wim to push the pending patches. I'll do it if he asks me. > > > > > > I noticed Guenter's watchdog branch is now in next, but the patches for > > > 4.12 are still not in mainline. Have you guys decided who will be > > > sending them on to Linus this cycle? > > > > > Good question. I had expected Wim to do it, since it is actually his > > repository which is in linux-next. But you are correct, it isn't upstream. > > Due to some issues, we (Linus, Guenter and myself) decided that Guenter will sent the pull request this time (which he allready did). OK, we were to late. We will line up the fixes for rc2. Feature changes and new drivers will be for next merge window. My apologies to the people that have sent in these changes and drivers. Kind regards, Wim. ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2017-05-14 13:20 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-03-13 12:49 [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe Johan Hovold 2017-03-13 13:42 ` Guenter Roeck 2017-03-13 14:17 ` Johan Hovold 2017-03-13 17:15 ` Guenter Roeck 2017-03-13 17:16 ` Guenter Roeck 2017-04-03 8:36 ` Johan Hovold 2017-04-03 14:05 ` Guenter Roeck 2017-05-12 10:36 ` Johan Hovold 2017-05-12 16:59 ` Guenter Roeck 2017-05-14 13:05 ` Wim Van Sebroeck 2017-05-14 13:20 ` Wim Van Sebroeck
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).