lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20151124.142647.235443062760285159.davem@davemloft.net>
Date:	Tue, 24 Nov 2015 14:26:47 -0500 (EST)
From:	David Miller <davem@...emloft.net>
To:	bjorn@...k.no
Cc:	netdev@...r.kernel.org, linux-usb@...r.kernel.org, oneukum@...e.com
Subject: Re: [PATCH] net: cdc_ncm: fix NULL pointer deref in
 cdc_ncm_bind_common

From: Bjørn Mork <bjorn@...k.no>
Date: Mon, 23 Nov 2015 14:32:10 +0100

> Commit 77b0a099674a ("cdc-ncm: use common parser") added a dangerous
> new trust in the CDC functional descriptors presented by the device,
> unconditionally assuming that any device handled by the driver has
> a CDC Union descriptor.
> 
> This descriptor is required by the NCM and MBIM specs, but crashing
> on non-compliant devices is still unacceptable. Not only will that
> allow malicious devices to crash the kernel, but in this case it is
> also well known that there are non-compliant real devices on the
> market - as shown by the comment accompanying the IAD workaround
> in the same function.
> 
> The Sierra Wireless EM7305 is an example of such device, having
> a CDC header and a CDC MBIM descriptor but no CDC Union:
 ...
> The conversion to a common parser also left the local cdc_union
> variable untouched.  This caused the IAD workaround code to be applied
> to all devices with an IAD descriptor, which was never intended.  Finish
> the conversion by testing for hdr.usb_cdc_union_desc instead.
> 
> Cc: Oliver Neukum <oneukum@...e.com>
> Fixes: 77b0a099674a ("cdc-ncm: use common parser")
> Signed-off-by: Bjørn Mork <bjorn@...k.no>

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ