Guenter Roeck <[email protected]> writes: > On Sat, Aug 03, 2019 at 08:29:04PM -0400, Hui Peng wrote: >> The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects >> are initialized to point to the containing `ath6kl_usb` object >> according to endpoint descriptors read from the device side, as shown >> below in `ath6kl_usb_setup_pipe_resources`: >> >> for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { >> endpoint = &iface_desc->endpoint[i].desc; >> >> // get the address from endpoint descriptor >> pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, >> endpoint->bEndpointAddress, >> &urbcount); >> ...... >> // select the pipe object >> pipe = &ar_usb->pipes[pipe_num]; >> >> // initialize the ar_usb field >> pipe->ar_usb = ar_usb; >> } >> >> The driver assumes that the addresses reported in endpoint >> descriptors from device side to be complete. If a device is >> malicious and does not report complete addresses, it may trigger >> NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and >> `ath6kl_usb_free_urb_to_pipe`. >> >> This patch fixes the bug by preventing potential NULL-ptr-deref. >> >> Signed-off-by: Hui Peng <[email protected]> >> Reported-by: Hui Peng <[email protected]> >> Reported-by: Mathias Payer <[email protected]> > > I don't see this patch in the upstream kernel or in -next. > > At the same time, it is supposed to fix CVE-2019-15098, which has > a CVSS v2.0 score of 7.8 (high). > > Is this patch going to be applied to the upstream kernel ?
Lately I have been very busy and I have not had a chance to apply ath6kl nor ath10k patches. This patch is on my queue and my plan is to go through my patch queue next week. -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
