lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 13 Mar 2017 10:15:04 -0700
From:   Guenter Roeck <linux@...ck-us.net>
To:     Johan Hovold <johan@...nel.org>
Cc:     Wim Van Sebroeck <wim@...ana.be>, linux-watchdog@...r.kernel.org,
        linux-kernel@...r.kernel.org, stable <stable@...r.kernel.org>,
        linux-usb@...r.kernel.org
Subject: Re: [PATCH] watchdog: pcwd_usb: fix NULL-deref at probe

On Mon, Mar 13, 2017 at 03:17:39PM +0100, Johan Hovold wrote:
> [ Adding linux-usb which I forgot to CC for this one ]
> 
> On Mon, Mar 13, 2017 at 06:42:45AM -0700, Guenter Roeck wrote:
> > On 03/13/2017 05:49 AM, Johan Hovold wrote:
> > > Make sure to check the number of endpoints to avoid dereferencing a
> > > NULL-pointer should a malicious device lack endpoints.
> > >
> > 
> > Is this theory or was it actually observed ?
> 
> This was found through inspection, but creating a USB device to crash a
> host with this driver enabled is easily done.
> 
Ok, makes sense. I see other drivers doing a similar check.

Guenter

> > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > > Cc: stable <stable@...r.kernel.org>
> > > Signed-off-by: Johan Hovold <johan@...nel.org>
> > > ---
> > >  drivers/watchdog/pcwd_usb.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/watchdog/pcwd_usb.c b/drivers/watchdog/pcwd_usb.c
> > > index 99ebf6ea3de6..5615f4013924 100644
> > > --- a/drivers/watchdog/pcwd_usb.c
> > > +++ b/drivers/watchdog/pcwd_usb.c
> > > @@ -630,6 +630,9 @@ static int usb_pcwd_probe(struct usb_interface *interface,
> > >  		return -ENODEV;
> > >  	}
> > >
> > > +	if (iface_desc->desc.bNumEndpoints < 1)
> > > +		return -ENODEV;
> > > +
> > >  	/* check out the endpoint: it has to be Interrupt & IN */
> > >  	endpoint = &iface_desc->endpoint[0].desc;
> > >
> > >
> 
> Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ