linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Johan Hovold <johan@kernel.org>
Subject: [PATCH 4.14 24/65] USB: serial: keyspan: fix NULL-derefs on open() and write()
Date: Wed, 16 Oct 2019 14:50:38 -0700	[thread overview]
Message-ID: <20191016214819.862368298@linuxfoundation.org> (raw)
In-Reply-To: <20191016214756.457746573@linuxfoundation.org>

From: Johan Hovold <johan@kernel.org>

commit 7d7e21fafdbc7fcf0854b877bd0975b487ed2717 upstream.

Fix NULL-pointer dereferences on open() and write() which can be
triggered by a malicious USB device.

The current URB allocation helper would fail to initialise the newly
allocated URB if the device has unexpected endpoint descriptors,
something which could lead NULL-pointer dereferences in a number of
open() and write() paths when accessing the URB. For example:

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	...
	RIP: 0010:usb_clear_halt+0x11/0xc0
	...
	Call Trace:
	 ? tty_port_open+0x4d/0xd0
	 keyspan_open+0x70/0x160 [keyspan]
	 serial_port_activate+0x5b/0x80 [usbserial]
	 tty_port_open+0x7b/0xd0
	 ? check_tty_count+0x43/0xa0
	 tty_open+0xf1/0x490

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	...
	RIP: 0010:keyspan_write+0x14e/0x1f3 [keyspan]
	...
	Call Trace:
	 serial_write+0x43/0xa0 [usbserial]
	 n_tty_write+0x1af/0x4f0
	 ? do_wait_intr_irq+0x80/0x80
	 ? process_echoes+0x60/0x60
	 tty_write+0x13f/0x2f0

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	...
	RIP: 0010:keyspan_usa26_send_setup+0x298/0x305 [keyspan]
	...
	Call Trace:
	 keyspan_open+0x10f/0x160 [keyspan]
	 serial_port_activate+0x5b/0x80 [usbserial]
	 tty_port_open+0x7b/0xd0
	 ? check_tty_count+0x43/0xa0
	 tty_open+0xf1/0x490

Fixes: fdcba53e2d58 ("fix for bugzilla #7544 (keyspan USB-to-serial converter)")
Cc: stable <stable@vger.kernel.org>	# 2.6.21
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/keyspan.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -1745,8 +1745,8 @@ static struct urb *keyspan_setup_urb(str
 
 	ep_desc = find_ep(serial, endpoint);
 	if (!ep_desc) {
-		/* leak the urb, something's wrong and the callers don't care */
-		return urb;
+		usb_free_urb(urb);
+		return NULL;
 	}
 	if (usb_endpoint_xfer_int(ep_desc)) {
 		ep_type_name = "INT";



  parent reply	other threads:[~2019-10-16 22:13 UTC|newest]

Thread overview: 73+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-16 21:50 [PATCH 4.14 00/65] 4.14.150-stable review Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 01/65] panic: ensure preemption is disabled during panic() Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 02/65] f2fs: use EINVAL for superblock with invalid magic Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 03/65] USB: rio500: Remove Rio 500 kernel driver Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 04/65] USB: yurex: Dont retry on unexpected errors Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 05/65] USB: yurex: fix NULL-derefs on disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 06/65] USB: usb-skeleton: fix runtime PM after driver unbind Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 07/65] USB: usb-skeleton: fix NULL-deref on disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 08/65] xhci: Fix false warning message about wrong bounce buffer write length Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 09/65] xhci: Prevent device initiated U1/U2 link pm if exit latency is too long Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 10/65] xhci: Check all endpoints for LPM timeout Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 11/65] usb: xhci: wait for CNR controller not ready bit in xhci resume Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 12/65] xhci: Increase STS_SAVE timeout in xhci_suspend() Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 13/65] USB: adutux: remove redundant variable minor Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 14/65] USB: adutux: fix use-after-free on disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 15/65] USB: adutux: fix NULL-derefs " Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 16/65] USB: adutux: fix use-after-free on release Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 17/65] USB: iowarrior: fix use-after-free on disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 18/65] USB: iowarrior: fix use-after-free on release Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 19/65] USB: iowarrior: fix use-after-free after driver unbind Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 20/65] USB: usblp: fix runtime PM " Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 21/65] USB: chaoskey: fix use-after-free on release Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 22/65] USB: ldusb: fix NULL-derefs on driver unbind Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 23/65] serial: uartlite: fix exit path null pointer Greg Kroah-Hartman
2019-10-16 21:50 ` Greg Kroah-Hartman [this message]
2019-10-16 21:50 ` [PATCH 4.14 25/65] USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 26/65] USB: serial: option: add Telit FN980 compositions Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 27/65] USB: serial: option: add support for Cinterion CLS8 devices Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 28/65] USB: serial: fix runtime PM after driver unbind Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 29/65] USB: usblcd: fix I/O after disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 30/65] USB: microtek: fix info-leak at probe Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 31/65] USB: dummy-hcd: fix power budget for SuperSpeed mode Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 32/65] usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}() Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 33/65] usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 34/65] USB: legousbtower: fix slab info leak at probe Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 35/65] USB: legousbtower: fix deadlock on disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 36/65] USB: legousbtower: fix potential NULL-deref " Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 37/65] USB: legousbtower: fix open after failed reset request Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 38/65] USB: legousbtower: fix use-after-free on release Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 39/65] staging: vt6655: Fix memory leak in vt6655_probe Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 40/65] iio: adc: ad799x: fix probe error handling Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 41/65] iio: adc: axp288: Override TS pin bias current for some models Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 42/65] iio: light: opt3001: fix mutex unlock race Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 43/65] efivar/ssdt: Dont iterate over EFI vars if no SSDT override was specified Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 44/65] perf llvm: Dont access out-of-scope array Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 45/65] perf inject jit: Fix JIT_CODE_MOVE filename Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 46/65] CIFS: Gracefully handle QueryInfo errors during open Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 47/65] CIFS: Force revalidate inode when dentry is stale Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 48/65] CIFS: Force reval dentry if LOOKUP_REVAL flag is set Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 49/65] kernel/sysctl.c: do not override max_threads provided by userspace Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 50/65] firmware: google: increment VPD key_len properly Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 51/65] gpiolib: dont clear FLAG_IS_OUT when emulating open-drain/open-source Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 52/65] Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 53/65] iio: hx711: add delay until DOUT is ready Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 54/65] iio: adc: hx711: fix bug in sampling of data Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 55/65] btrfs: fix incorrect updating of log root tree Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 56/65] NFS: Fix O_DIRECT accounting of number of bytes read/written Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 57/65] MIPS: Disable Loongson MMI instructions for kernel build Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 58/65] Fix the locking in dcache_readdir() and friends Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 59/65] media: stkwebcam: fix runtime PM after driver unbind Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 60/65] tracing/hwlat: Report total time spent in all NMIs during the sample Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 61/65] tracing/hwlat: Dont ignore outer-loop duration when calculating max_latency Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 62/65] ftrace: Get a reference counter for the trace_array on filter files Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 63/65] tracing: Get trace_array reference for available_tracers files Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 64/65] x86/asm: Fix MWAITX C-state hint value Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 65/65] xfs: clear sb->s_fs_info on mount failure Greg Kroah-Hartman
2019-10-17  1:42 ` [PATCH 4.14 00/65] 4.14.150-stable review kernelci.org bot
2019-10-17  6:22 ` Naresh Kamboju
2019-10-17 14:55 ` shuah
2019-10-17 18:03 ` Guenter Roeck
2019-10-17 18:27 ` Didik Setiawan
2019-10-18  7:57 ` Jon Hunter
2019-10-18  9:59 ` Jinpu Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191016214819.862368298@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=johan@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).