| Message ID | 20191003134958.8692-1-johan@kernel.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 7d7e21fafdbc7fcf0854b877bd0975b487ed2717 |
| Headers | show |
| Series | USB: serial: keyspan: fix NULL-derefs on open() and write() | expand |
On Thu, Oct 03, 2019 at 03:49:58PM +0200, Johan Hovold wrote: > Fix NULL-pointer dereferences on open() and write() which can be > triggered by a malicious USB device. > > The current URB allocation helper would fail to initialise the newly > allocated URB if the device has unexpected endpoint descriptors, > something which could lead NULL-pointer dereferences in a number of > open() and write() paths when accessing the URB. For example: > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > ... > RIP: 0010:usb_clear_halt+0x11/0xc0 > ... > Call Trace: > ? tty_port_open+0x4d/0xd0 > keyspan_open+0x70/0x160 [keyspan] > serial_port_activate+0x5b/0x80 [usbserial] > tty_port_open+0x7b/0xd0 > ? check_tty_count+0x43/0xa0 > tty_open+0xf1/0x490 > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > ... > RIP: 0010:keyspan_write+0x14e/0x1f3 [keyspan] > ... > Call Trace: > serial_write+0x43/0xa0 [usbserial] > n_tty_write+0x1af/0x4f0 > ? do_wait_intr_irq+0x80/0x80 > ? process_echoes+0x60/0x60 > tty_write+0x13f/0x2f0 > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > ... > RIP: 0010:keyspan_usa26_send_setup+0x298/0x305 [keyspan] > ... > Call Trace: > keyspan_open+0x10f/0x160 [keyspan] > serial_port_activate+0x5b/0x80 [usbserial] > tty_port_open+0x7b/0xd0 > ? check_tty_count+0x43/0xa0 > tty_open+0xf1/0x490 > > Fixes: fdcba53e2d58 ("fix for bugzilla #7544 (keyspan USB-to-serial converter)") > Cc: stable <stable@vger.kernel.org> # 2.6.21 > Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c index d34779fe4a8d..e66a59ef43a1 100644 --- a/drivers/usb/serial/keyspan.c +++ b/drivers/usb/serial/keyspan.c @@ -1741,8 +1741,8 @@ static struct urb *keyspan_setup_urb(struct usb_serial *serial, int endpoint, ep_desc = find_ep(serial, endpoint); if (!ep_desc) { - /* leak the urb, something's wrong and the callers don't care */ - return urb; + usb_free_urb(urb); + return NULL; } if (usb_endpoint_xfer_int(ep_desc)) { ep_type_name = "INT";
Fix NULL-pointer dereferences on open() and write() which can be triggered by a malicious USB device. The current URB allocation helper would fail to initialise the newly allocated URB if the device has unexpected endpoint descriptors, something which could lead NULL-pointer dereferences in a number of open() and write() paths when accessing the URB. For example: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:usb_clear_halt+0x11/0xc0 ... Call Trace: ? tty_port_open+0x4d/0xd0 keyspan_open+0x70/0x160 [keyspan] serial_port_activate+0x5b/0x80 [usbserial] tty_port_open+0x7b/0xd0 ? check_tty_count+0x43/0xa0 tty_open+0xf1/0x490 BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:keyspan_write+0x14e/0x1f3 [keyspan] ... Call Trace: serial_write+0x43/0xa0 [usbserial] n_tty_write+0x1af/0x4f0 ? do_wait_intr_irq+0x80/0x80 ? process_echoes+0x60/0x60 tty_write+0x13f/0x2f0 BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:keyspan_usa26_send_setup+0x298/0x305 [keyspan] ... Call Trace: keyspan_open+0x10f/0x160 [keyspan] serial_port_activate+0x5b/0x80 [usbserial] tty_port_open+0x7b/0xd0 ? check_tty_count+0x43/0xa0 tty_open+0xf1/0x490 Fixes: fdcba53e2d58 ("fix for bugzilla #7544 (keyspan USB-to-serial converter)") Cc: stable <stable@vger.kernel.org> # 2.6.21 Signed-off-by: Johan Hovold <johan@kernel.org> --- drivers/usb/serial/keyspan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)