From: Arnd Bergmann <arnd@arndb.de>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "# 3.4.x" <stable@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Josh Boyer <jwboyer@fedoraproject.org>,
Ralf Spenneberg <ralf@spenneberg.net>,
USB list <linux-usb@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Chunyan Zhang <chunyan.zhang@spreadtrum.com>,
Baolin Wang <baolin.wang@spreadtrum.com>
Subject: Re: [BACKPORT 4.4.y 04/25] USB: iowarrior: fix oops with malicious USB descriptors
Date: Tue, 26 Mar 2019 09:20:40 +0100 [thread overview]
Message-ID: <CAK8P3a1u_2gz=UieoNT7yOqSKFvFOXA34CAs7w+qouoQTjqDgQ@mail.gmail.com> (raw)
In-Reply-To: <20190326011319.GC29420@kroah.com>
On Tue, Mar 26, 2019 at 2:23 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote:
> > From: Josh Boyer <jwboyer@fedoraproject.org>
> >
> > The iowarrior driver expects at least one valid endpoint. If given
> > malicious descriptors that specify 0 for the number of endpoints,
> > it will crash in the probe function. Ensure there is at least
> > one endpoint on the interface before using it.
> >
> > The full report of this issue can be found here:
> > http://seclists.org/bugtraq/2016/Mar/87
> >
> > Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
> > Cc: stable <stable@vger.kernel.org>
> > Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0)
> > Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> > ---
> > drivers/usb/misc/iowarrior.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
>
> This commit has been in the tree for a long time. It was in the 4.4.7
> release, back in April 2016. And then it was reverted in commit
> b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke
> systems. So why add it back, the correct functionality should be there
> today, right?
Sorry I missed that history. The script I used to identify patches noticed
that this patch was not applied, but I did not have a check for already-
reverted patches.
Chunyan, Baolin: it seems the spreadtrum 4.4 kernel got this wrong
as well, by backporting the patch again on top of 4.4.172. Can you check
the latest internal version for this?
Arnd
next prev parent reply other threads:[~2019-03-26 8:20 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-22 15:43 [BACKPORT 4.4.y 00/25] candidates from spreadtrum 4.4 product kernel Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 01/25] mmc: pwrseq: constify mmc_pwrseq_ops structures Arnd Bergmann
2019-03-26 1:08 ` Greg KH
2019-03-26 6:44 ` Julia Lawall
2019-03-26 8:11 ` Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 02/25] ALSA: compress: add support for 32bit calls in a 64bit kernel Arnd Bergmann
2019-03-26 1:09 ` Greg KH
2019-03-26 7:55 ` Arnd Bergmann
2019-03-30 9:40 ` Greg KH
2019-03-22 15:43 ` [BACKPORT 4.4.y 03/25] mmc: pwrseq_simple: Make reset-gpios optional to match doc Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 04/25] USB: iowarrior: fix oops with malicious USB descriptors Arnd Bergmann
2019-03-26 1:13 ` Greg Kroah-Hartman
2019-03-26 8:20 ` Arnd Bergmann [this message]
2019-03-26 9:35 ` Baolin Wang
2019-03-26 9:47 ` 翟京 (Orson Zhai)
2019-03-22 15:43 ` [BACKPORT 4.4.y 05/25] mmc: debugfs: Add a restriction to mmc debugfs clock setting Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 06/25] mmc: make MAN_BKOPS_EN message a debug Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 07/25] mmc: sanitize 'bus width' in debug output Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 08/25] mmc: core: shut up "voltage-ranges unspecified" pr_info() Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 09/25] usb: dwc3: gadget: Fix suspend/resume during device mode Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 10/25] arm64: mm: Add trace_irqflags annotations to do_debug_exception() Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 11/25] mmc: core: fix using wrong io voltage if mmc_select_hs200 fails Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 12/25] mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 13/25] extcon: usb-gpio: Don't miss event during suspend/resume Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 14/25] kbuild: setlocalversion: print error to STDERR Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 15/25] usb: gadget: composite: fix dereference after null check coverify warning Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 16/25] usb: gadget: Add the gserial port checking in gs_start_tx() Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 17/25] mmc: core: don't try to switch block size for dual rate mode Arnd Bergmann
2019-03-26 1:27 ` Greg KH
2019-03-26 8:14 ` Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 18/25] tcp/dccp: drop SYN packets if accept queue is full Arnd Bergmann
2019-03-26 1:21 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 19/25] serial: sprd: adjust TIMEOUT to a big value Arnd Bergmann
2019-03-26 1:21 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 20/25] Hang/soft lockup in d_invalidate with simultaneous calls Arnd Bergmann
2019-03-26 1:30 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 21/25] arm64: traps: disable irq in die() Arnd Bergmann
2019-03-26 1:31 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 22/25] usb: renesas_usbhs: gadget: fix unused-but-set-variable warning Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 23/25] serial: sprd: clear timeout interrupt only rather than all interrupts Arnd Bergmann
2019-03-26 1:34 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 24/25] lib/int_sqrt: optimize small argument Arnd Bergmann
2019-03-26 1:36 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 25/25] USB: core: only clean up what we allocated Arnd Bergmann
2019-03-26 1:36 ` Greg Kroah-Hartman
2019-03-26 2:18 ` [BACKPORT 4.4.y 00/25] candidates from spreadtrum 4.4 product kernel Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAK8P3a1u_2gz=UieoNT7yOqSKFvFOXA34CAs7w+qouoQTjqDgQ@mail.gmail.com' \
--to=arnd@arndb.de \
--cc=baolin.wang@spreadtrum.com \
--cc=bigeasy@linutronix.de \
--cc=chunyan.zhang@spreadtrum.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=jwboyer@fedoraproject.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=ralf@spenneberg.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).