[thirdparty/kernel/stable-queue.git] / releases / 4.10.7 / usb-uss720-fix-null-deref-at-probe.patch

From f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@kernel.org>
Date: Mon, 13 Mar 2017 13:47:50 +0100
Subject: USB: uss720: fix NULL-deref at probe

From: Johan Hovold <johan@kernel.org>

commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Note that the endpoint access that causes the NULL-deref is currently
only used for debugging purposes during probe so the oops only happens
when dynamic debugging is enabled. This means the driver could be
rewritten to continue to accept device with only two endpoints, should
such devices exist.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/uss720.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -708,6 +708,11 @@ static int uss720_probe(struct usb_inter
 
 	interface = intf->cur_altsetting;
 
+	if (interface->desc.bNumEndpoints < 3) {
+		usb_put_dev(usbdev);
+		return -ENODEV;
+	}
+
 	/*
 	 * Allocate parport interface 
 	 */
Commit	Line	Data
90594201 GKH	1	From f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 Mon Sep 17 00:00:00 2001
	2	From: Johan Hovold <johan@kernel.org>
	3	Date: Mon, 13 Mar 2017 13:47:50 +0100
	4	Subject: USB: uss720: fix NULL-deref at probe
	5
	6	From: Johan Hovold <johan@kernel.org>
	7
	8	commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream.
	9
	10	Make sure to check the number of endpoints to avoid dereferencing a
	11	NULL-pointer or accessing memory beyond the endpoint array should a
	12	malicious device lack the expected endpoints.
	13
	14	Note that the endpoint access that causes the NULL-deref is currently
	15	only used for debugging purposes during probe so the oops only happens
	16	when dynamic debugging is enabled. This means the driver could be
	17	rewritten to continue to accept device with only two endpoints, should
	18	such devices exist.
	19
	20	Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
	21	Signed-off-by: Johan Hovold <johan@kernel.org>
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23
	24	---
	25	drivers/usb/misc/uss720.c \| 5 +++++
	26	1 file changed, 5 insertions(+)
	27
	28	--- a/drivers/usb/misc/uss720.c
	29	+++ b/drivers/usb/misc/uss720.c
	30	@@ -708,6 +708,11 @@ static int uss720_probe(struct usb_inter
	31
	32	interface = intf->cur_altsetting;
	33
	34	+ if (interface->desc.bNumEndpoints < 3) {
	35	+ usb_put_dev(usbdev);
	36	+ return -ENODEV;
	37	+ }
	38	+
	39	/*
	40	* Allocate parport interface
	41	*/