lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44L0.1809251012040.1517-100000@iolanthe.rowland.org>
Date:   Tue, 25 Sep 2018 10:14:31 -0400 (EDT)
From:   Alan Stern <stern@...land.harvard.edu>
To:     Vladis Dronov <vdronov@...hat.com>
cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Oliver Neukum <oneukum@...e.com>,
        Hans de Goede <hdegoede@...hat.com>,
        <syzkaller@...glegroups.com>, <linux-usb@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, stable <stable@...r.kernel.org>
Subject: Re: [PATCH] usb: usbfs: fix crash in check_ctrlrecip()->usb_find_alt_setting()

On Tue, 25 Sep 2018, Vladis Dronov wrote:

> ps->dev->actconfig can be NULL and cause NULL-deref in usb_find_alt_setting()
> before c9a4cb204e9e. fix this anyway by checking that ps->dev->actconfig is not
> NULL, so usb_find_alt_setting() is not called with a known-bad argument.

What reason is there for having two different fixes for the same bug?  
This one isn't going to get into any mainline trees that don't already 
have c9a4cb204e9e.

Alan Stern

> Signed-off-by: Vladis Dronov <vdronov@...hat.com>
> Reported-by: syzbot+19c3aaef85a89d451eac@...kaller.appspotmail.com
> ---
>  drivers/usb/core/devio.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index 6ce77b33da61..26047620b003 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -824,7 +824,7 @@ static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
>  	 * class specification, which we always want to allow as it is used
>  	 * to query things like ink level, etc.
>  	 */
> -	if (requesttype == 0xa1 && request == 0) {
> +	if (requesttype == 0xa1 && request == 0 && ps->dev->actconfig) {
>  		alt_setting = usb_find_alt_setting(ps->dev->actconfig,
>  						   index >> 8, index & 0xff);
>  		if (alt_setting

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ