lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250422205140.7857-1-a.safin@rosa.ru>
Date: Tue, 22 Apr 2025 23:51:40 +0300
From: Alexei Safin <a.safin@...a.ru>
To: Johan Hovold <johan@...nel.org>
Cc: Alexei Safin <a.safin@...a.ru>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	lvc-project@...uxtesting.org
Subject: [PATCH] usb: serial: ti_usb_3410_5052: Add NULL check for read_urb in ti_open()

Avoid dereferencing port->read_urb when it is NULL, which may happen if
usb_alloc_urb() fails or initialization of usb_serial_port is incomplete.

Dereferencing a NULL pointer in ti_open() leads to a kernel crash.
This condition was detected by a static analyzer, but can also occur
in practice if memory allocation fails in probe path or if the driver
is incorrectly initialized by a faulty device descriptor.

Check port->read_urb for NULL before calling usb_clear_halt() to
prevent the crash.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Alexei Safin <a.safin@...a.ru>
---
 drivers/usb/serial/ti_usb_3410_5052.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
index b99f78224846..8466336714e8 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -710,6 +710,13 @@ static int ti_open(struct tty_struct *tty, struct usb_serial_port *port)
 	/* reset the data toggle on the bulk endpoints to work around bug in
 	 * host controllers where things get out of sync some times */
 	usb_clear_halt(dev, port->write_urb->pipe);
+
+	if (!port->read_urb) {
+		dev_err(&port->dev, "%s - no read urb\n", __func__);
+		status = -EINVAL;
+		goto unlink_int_urb;
+	}
+
 	usb_clear_halt(dev, port->read_urb->pipe);
 
 	if (tty)
-- 
2.39.5 (Apple Git-154)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ