lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Feb 2022 10:26:06 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Szymon Heidrich <szymon.heidrich@...il.com>, stable@...nel.org Subject: [PATCH 4.19 40/49] USB: gadget: validate interface OS descriptor requests From: Szymon Heidrich <szymon.heidrich@...il.com> commit 75e5b4849b81e19e9efe1654b30d7f3151c33c2c upstream. Stall the control endpoint in case provided index exceeds array size of MAX_CONFIG_INTERFACES or when the retrieved function pointer is null. Signed-off-by: Szymon Heidrich <szymon.heidrich@...il.com> Cc: stable@...nel.org Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- drivers/usb/gadget/composite.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1930,6 +1930,9 @@ unknown: if (w_index != 0x5 || (w_value >> 8)) break; interface = w_value & 0xFF; + if (interface >= MAX_CONFIG_INTERFACES || + !os_desc_cfg->interface[interface]) + break; buf[6] = w_index; count = count_ext_prop(os_desc_cfg, interface);
Powered by blists - more mailing lists