Guenter Roeck <[email protected]> writes: > Hi, > > On Sat, Aug 03, 2019 at 08:31:01PM -0400, Hui Peng wrote: >> The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects >> are initialized to point to the containing `ath10k_usb` object >> according to endpoint descriptors read from the device side, as shown >> below in `ath10k_usb_setup_pipe_resources`: >> >> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { >> endpoint = &iface_desc->endpoint[i].desc; >> >> // get the address from endpoint descriptor >> pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb, >> endpoint->bEndpointAddress, >> &urbcount); >> ...... >> // select the pipe object >> pipe = &ar_usb->pipes[pipe_num]; >> >> // initialize the ar_usb field >> pipe->ar_usb = ar_usb; >> } >> >> The driver assumes that the addresses reported in endpoint >> descriptors from device side to be complete. If a device is >> malicious and does not report complete addresses, it may trigger >> NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and >> `ath10k_usb_free_urb_to_pipe`. >> >> This patch fixes the bug by preventing potential NULL-ptr-deref. >> >> Signed-off-by: Hui Peng <[email protected]> >> Reported-by: Hui Peng <[email protected]> >> Reported-by: Mathias Payer <[email protected]> > > This patch fixes CVE-2019-15099, which has CVSS scores of 7.5 (CVSS 3.0) > and 7.8 (CVSS 2.0). Yet, I don't find it in the upstream kernel or in Linux > next. > > Is the patch going to be applied to the upstream kernel anytime soon ?
Same answer as in patch 1: https://patchwork.kernel.org/patch/11074655/ -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
