[PATCH] [media] cpia2_usb: drop bogus interface-release call

[Johan Hovold]

Drop bogus call to usb_driver_release_interface() from the disconnect()
callback. As the interface is already being unbound at this point,
usb_driver_release_interface() simply returns early.

Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/usb/cpia2/cpia2_usb.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/drivers/media/usb/cpia2/cpia2_usb.c 
b/drivers/media/usb/cpia2/cpia2_usb.c
index f3a1e5b1e57c..b51fc372ca25 100644
--- a/drivers/media/usb/cpia2/cpia2_usb.c
+++ b/drivers/media/usb/cpia2/cpia2_usb.c
@@ -910,9 +910,6 @@ static void cpia2_usb_disconnect(struct usb_interface *intf)
wake_up_interruptible(>wq_stream);
}
 
-   DBG("Releasing interface\n");
-   usb_driver_release_interface(_driver, intf);
-
LOG("CPiA2 camera disconnected.\n");
 }
 
-- 
2.16.2

[PATCH] [media] cx231xx-cards: fix NULL-deref on missing association descriptor

[Johan Hovold]

Make sure to check that we actually have an Interface Association
Descriptor before dereferencing it during probe to avoid dereferencing a
NULL-pointer.

Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Cc: stable <sta...@vger.kernel.org> # 2.6.30
Cc: Sri Deevi <srinivasa.de...@conexant.com>
Reported-by: Andrey Konovalov <andreyk...@google.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c 
b/drivers/media/usb/cx231xx/cx231xx-cards.c
index e0daa9b6c2a0..9b742d569fb5 100644
--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
@@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_interface 
*interface,
nr = dev->devno;
 
assoc_desc = udev->actconfig->intf_assoc[0];
-   if (assoc_desc->bFirstInterface != ifnum) {
+   if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) {
dev_err(d, "Not found matching IAD interface\n");
retval = -ENODEV;
goto err_if;
-- 
2.14.1

Re: usb/media/cx231xx: null-ptr-deref in cx231xx_usb_probe

[Johan Hovold]

On Wed, Sep 20, 2017 at 08:54:08PM +0200, Andrey Konovalov wrote:
> Hi!
> 
> I've got the following report while fuzzing the kernel with syzkaller.
> 
> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
> 
> The null-ptr-deref happens on assoc_desc->bFirstInterface, where
> assoc_desc = udev->actconfig->intf_assoc[0]. There seems to be no
> check that the device actually contains an Interface Association
> Descriptor.

That is indeed a bug; I'll respond to this mail with a fix.

Thanks,
Johan

Re: [PATCH 1/2] staging: greybus: light: Don't leak memory for no gain

[Johan Hovold]

[ +CC: Rui and Greg ]

On Tue, Jul 18, 2017 at 09:41:06PM +0300, Sakari Ailus wrote:
> Memory for struct v4l2_flash_config is allocated in
> gb_lights_light_v4l2_register() for no gain and yet the allocated memory is
> leaked; the struct isn't used outside the function. Fix this.
> 
> Signed-off-by: Sakari Ailus 
> ---
>  drivers/staging/greybus/light.c | 17 ++---
>  1 file changed, 6 insertions(+), 11 deletions(-)
> 
> diff --git a/drivers/staging/greybus/light.c b/drivers/staging/greybus/light.c
> index 129ceed39829..b25c117ec41a 100644
> --- a/drivers/staging/greybus/light.c
> +++ b/drivers/staging/greybus/light.c
> @@ -534,25 +534,21 @@ static int gb_lights_light_v4l2_register(struct 
> gb_light *light)
>  {
>   struct gb_connection *connection = get_conn_from_light(light);
>   struct device *dev = >bundle->dev;
> - struct v4l2_flash_config *sd_cfg;
> + struct v4l2_flash_config sd_cfg = { 0 };
>   struct led_classdev_flash *fled;
>   struct led_classdev *iled = NULL;
>   struct gb_channel *channel_torch, *channel_ind, *channel_flash;
>   int ret = 0;
>  
> - sd_cfg = kcalloc(1, sizeof(*sd_cfg), GFP_KERNEL);
> - if (!sd_cfg)
> - return -ENOMEM;
> -
>   channel_torch = get_channel_from_mode(light, GB_CHANNEL_MODE_TORCH);
>   if (channel_torch)
>   __gb_lights_channel_v4l2_config(_torch->intensity_uA,
> - _cfg->torch_intensity);
> + _cfg.torch_intensity);
>  
>   channel_ind = get_channel_from_mode(light, GB_CHANNEL_MODE_INDICATOR);
>   if (channel_ind) {
>   __gb_lights_channel_v4l2_config(_ind->intensity_uA,
> - _cfg->indicator_intensity);
> + _cfg.indicator_intensity);
>   iled = _ind->fled.led_cdev;
>   }
>  
> @@ -561,17 +557,17 @@ static int gb_lights_light_v4l2_register(struct 
> gb_light *light)
>  
>   fled = _flash->fled;
>  
> - snprintf(sd_cfg->dev_name, sizeof(sd_cfg->dev_name), "%s", light->name);
> + snprintf(sd_cfg.dev_name, sizeof(sd_cfg.dev_name), "%s", light->name);
>  
>   /* Set the possible values to faults, in our case all faults */
> - sd_cfg->flash_faults = LED_FAULT_OVER_VOLTAGE | LED_FAULT_TIMEOUT |
> + sd_cfg.flash_faults = LED_FAULT_OVER_VOLTAGE | LED_FAULT_TIMEOUT |
>   LED_FAULT_OVER_TEMPERATURE | LED_FAULT_SHORT_CIRCUIT |
>   LED_FAULT_OVER_CURRENT | LED_FAULT_INDICATOR |
>   LED_FAULT_UNDER_VOLTAGE | LED_FAULT_INPUT_VOLTAGE |
>   LED_FAULT_LED_OVER_TEMPERATURE;
>  
>   light->v4l2_flash = v4l2_flash_init(dev, NULL, fled, iled,
> - _flash_ops, sd_cfg);
> + _flash_ops, _cfg);
>   if (IS_ERR_OR_NULL(light->v4l2_flash)) {
>   ret = PTR_ERR(light->v4l2_flash);
>   goto out_free;
> @@ -580,7 +576,6 @@ static int gb_lights_light_v4l2_register(struct gb_light 
> *light)
>   return ret;
>  
>  out_free:
> - kfree(sd_cfg);

This looks a bit lazy, even if I just noticed that you repurpose this
error label (without renaming it) in you second patch.


>   return ret;
>  }

And while it's fine to take this through linux-media, it would still be
good to keep the maintainers on CC.

Thanks,
Johan

Re: Null Pointer Dereference in mceusb

[Johan Hovold]

On Mon, Jul 03, 2017 at 03:41:59PM +0700, Lars Melin wrote:
> On 2017-07-03 15:10, Johan Hovold wrote:
> > On Thu, Jun 29, 2017 at 07:41:24PM +0200, Sebastian wrote:
> >> Sorry for the long delay, Johan.
> >>
> >> 2017-06-01 9:20 GMT+02:00 Johan Hovold <jo...@kernel.org>:
> >>> [ +CC: media list ]
> >>>
> >>> On Wed, May 31, 2017 at 08:25:42PM +0200, Sebastian wrote:
> >>>
> >>> What is the lsusb -v output for your device? And have you successfully
> >>> used this device with this driver before?
> >>>
> >>
> >> No, the device wasn't successfully used before that- it crashed every time,
> >> so I threw away the usb receiver. This is also the reason why I cannot give
> >> you the lsusb output. But I can give you the VID:PID -> 03ee:2501 if that
> >> is of any help?
> > 
> > Ok, so it's not necessarily a (recent) regression at least. I can't seem
> > to find anyone else posting lsusb -v output for that device
> > unfortunately.
> > 
> 
> Googling "03ee:2501 bDescriptorType" leads us to:
> https://sourceforge.net/p/lirc/mailman/message/12852102/

Thanks, Lars. Appears I didn't google hard enough.

Well that device has both a bulk IN and OUT endpoint, so if Sebastian's
device has the same descriptors, I'm left without an hypothesis as to
what would have caused the crash.

We'd need to get this verified on a recent mainline kernel (rather than
an older Ubuntu one) and then take it from there.

Thanks,
Johan

Re: Null Pointer Dereference in mceusb

[Johan Hovold]

On Thu, Jun 29, 2017 at 07:41:24PM +0200, Sebastian wrote:
> Sorry for the long delay, Johan.
> 
> 2017-06-01 9:20 GMT+02:00 Johan Hovold <jo...@kernel.org>:
> > [ +CC: media list ]
> >
> > On Wed, May 31, 2017 at 08:25:42PM +0200, Sebastian wrote:
> >
> > What is the lsusb -v output for your device? And have you successfully
> > used this device with this driver before?
> >
> 
> No, the device wasn't successfully used before that- it crashed every time,
> so I threw away the usb receiver. This is also the reason why I cannot give
> you the lsusb output. But I can give you the VID:PID -> 03ee:2501 if that
> is of any help?

Ok, so it's not necessarily a (recent) regression at least. I can't seem
to find anyone else posting lsusb -v output for that device
unfortunately.

> > Can you reproduce this with a more recent mainline kernel (e.g.
> > 4.11.3)?
> 
> Unfortunately no :(
> 
> >
> > This looks like something which could happen if the device is lacking an
> > OUT endpoint, and a sanity check to catch that recently went in (and was
> > backported to the non-EOL stable trees).
> 
> I could buy the same device again and try?

If you're willing to that, that'd very helpful; either to verify that
the crash is already fixed (as mentioned above), or to allow us to track
down the separate issue.

Thanks,
Johan

[PATCH 2/2] [media] mceusb: drop redundant urb reinitialisation

[Johan Hovold]

Drop a since commit e1159cb35712 ("[media] mceusb: remove pointless
mce_flush_rx_buffer function") redundant reinitialisation of two urb
fields immediately after they have been initialised.

Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/rc/mceusb.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index 0a16bd34ee4e..cba7ae90c000 100644
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -760,9 +760,6 @@ static void mce_request_packet(struct mceusb_dev *ir, 
unsigned char *data,
 
dev_dbg(dev, "receive request called (size=%#x)", size);
 
-   async_urb->transfer_buffer_length = size;
-   async_urb->dev = ir->usbdev;
-
res = usb_submit_urb(async_urb, GFP_ATOMIC);
if (res) {
dev_err(dev, "receive request FAILED! (res=%d)", res);
-- 
2.13.0

[PATCH 1/2] [media] mceusb: fix memory leaks in error path

[Johan Hovold]

Fix urb and transfer-buffer leaks in an urb-submission error path which
may be hit when a device is disconnected.

Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver")
Cc: stable <sta...@vger.kernel.org> # 2.6.36
Cc: Jarod Wilson <ja...@redhat.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/rc/mceusb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index 93b16fe3ab38..0a16bd34ee4e 100644
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -766,6 +766,8 @@ static void mce_request_packet(struct mceusb_dev *ir, 
unsigned char *data,
res = usb_submit_urb(async_urb, GFP_ATOMIC);
if (res) {
dev_err(dev, "receive request FAILED! (res=%d)", res);
+   kfree(async_buf);
+   usb_free_urb(async_urb);
return;
}
dev_dbg(dev, "receive request complete (res=%d)", res);
-- 
2.13.0

Re: Null Pointer Dereference in mceusb

[Johan Hovold]

[ +CC: media list ]

On Wed, May 31, 2017 at 08:25:42PM +0200, Sebastian wrote:
> Hi list,
> 
> as kindly suggested by gregkh
> (https://bugzilla.kernel.org/show_bug.cgi?id=195943), I am now sending
> the mail to this mailing list.
> I have set up the latest Ubuntu 17.04 server within a qemu/kvm virtual
> machine and experienced the following bug in the mce_usb driver:

What is the lsusb -v output for your device? And have you successfully
used this device with this driver before?
 
> [ 2873.734554] usb usb1-port1: unable to enumerate USB device
> [ 2906.929123] BUG: unable to handle kernel NULL pointer dereference
> at 0003
> [ 2906.931178] IP: mce_request_packet+0x66/0x210 [mceusb]
> [ 2906.932512] PGD 0
> [ 2906.932514]
> [ 2906.933561] Oops:  [#1] SMP
> [ 2906.934382] Modules linked in: kaweth zd1211rw ir_rc6_decoder
> ir_lirc_codec lirc_dev rc_rc6_mce mceusb rc_core ftdi_sio usbserial
> usb_storage usbhid hid at
> 76c50x_usb mac80211 cfg80211 ppdev joydev input_leds i2c_piix4
> parport_pc parport pvpanic mac_hid serio_raw ib_iser rdma_cm iw_cm
> ib_cm ib_core configfs iscsi
> _tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables
> autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq
> async_xor async_tx xor
>  raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm
> drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse
> drm e1000 floppy pata_acpi
> [ 2906.950961] CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted
> 4.10.0-19-generic #21-Ubuntu

Can you reproduce this with a more recent mainline kernel (e.g.
4.11.3)?

This looks like something which could happen if the device is lacking an
OUT endpoint, and a sanity check to catch that recently went in (and was
backported to the non-EOL stable trees).

Thanks,
Johan

[PATCH] [media] usbvision: add missing USB-descriptor endianness conversions

[Johan Hovold]

Add the missing endianness conversions to a debug call printing the
USB device-descriptor idVendor and idProduct fields during probe.

Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/usb/usbvision/usbvision-video.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/usbvision/usbvision-video.c 
b/drivers/media/usb/usbvision/usbvision-video.c
index f9c3325aa4d4..756322c4ac05 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1427,8 +1427,8 @@ static int usbvision_probe(struct usb_interface *intf,
int model, i, ret;
 
PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
-   dev->descriptor.idVendor,
-   dev->descriptor.idProduct, ifnum);
+   le16_to_cpu(dev->descriptor.idVendor),
+   le16_to_cpu(dev->descriptor.idProduct), ifnum);
 
model = devid->driver_info;
if (model < 0 || model >= usbvision_device_data_size) {
-- 
2.13.0

Re: [git:media_tree/master] [media] gspca: konica: add missing endpoint sanity check

[Johan Hovold]

On Wed, Apr 05, 2017 at 06:07:31PM +, Mauro Carvalho Chehab wrote:
> This is an automatic generated email to let you know that the
> following patch were queued:
> 
> Subject: [media] gspca: konica: add missing endpoint sanity check
> Author:  Johan Hovold <jo...@kernel.org>
> Date:Mon Mar 13 09:53:59 2017 -0300

This was the sixth and final patch in a series; are you picking up the
first five as well?

Thanks,
Johan

Re: [PATCH 0/6] [media] fix missing endpoint sanity checks

[Johan Hovold]

On Mon, Mar 13, 2017 at 01:53:53PM +0100, Johan Hovold wrote:
> This series fixes a number of NULL-pointer dereferences (and related
> issues) due to missing endpoint sanity checks that can be triggered by a
> malicious USB device.
 
> Johan Hovold (6):
>   [media] dib0700: fix NULL-deref at probe
>   [media] usbvision: fix NULL-deref at probe
>   [media] cx231xx-cards: fix NULL-deref at probe
>   [media] cx231xx-audio: fix init error path
>   [media] cx231xx-audio: fix NULL-deref at probe
>   [media] gspca: konica: add missing endpoint sanity check

I noticed these had been assigned to you, Hans. Anything more you need
to get them merged?

Thanks,
Johan

[PATCH 4/6] [media] cx231xx-audio: fix init error path

[Johan Hovold]

Make sure to release the snd_card also on a late allocation error.

Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Cc: stable <sta...@vger.kernel.org> # 2.6.30
Cc: Sri Deevi <srinivasa.de...@conexant.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/usb/cx231xx/cx231xx-audio.c | 25 ++---
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/drivers/media/usb/cx231xx/cx231xx-audio.c 
b/drivers/media/usb/cx231xx/cx231xx-audio.c
index cf80842dfa08..f3729d6eb46a 100644
--- a/drivers/media/usb/cx231xx/cx231xx-audio.c
+++ b/drivers/media/usb/cx231xx/cx231xx-audio.c
@@ -670,10 +670,8 @@ static int cx231xx_audio_init(struct cx231xx *dev)
 
spin_lock_init(>slock);
err = snd_pcm_new(card, "Cx231xx Audio", 0, 0, 1, );
-   if (err < 0) {
-   snd_card_free(card);
-   return err;
-   }
+   if (err < 0)
+   goto err_free_card;
 
snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE,
_cx231xx_pcm_capture);
@@ -687,10 +685,9 @@ static int cx231xx_audio_init(struct cx231xx *dev)
INIT_WORK(>wq_trigger, audio_trigger);
 
err = snd_card_register(card);
-   if (err < 0) {
-   snd_card_free(card);
-   return err;
-   }
+   if (err < 0)
+   goto err_free_card;
+
adev->sndcard = card;
adev->udev = dev->udev;
 
@@ -709,9 +706,10 @@ static int cx231xx_audio_init(struct cx231xx *dev)
"audio EndPoint Addr 0x%x, Alternate settings: %i\n",
adev->end_point_addr, adev->num_alt);
adev->alt_max_pkt_size = kmalloc(32 * adev->num_alt, GFP_KERNEL);
-
-   if (adev->alt_max_pkt_size == NULL)
-   return -ENOMEM;
+   if (!adev->alt_max_pkt_size) {
+   err = -ENOMEM;
+   goto err_free_card;
+   }
 
for (i = 0; i < adev->num_alt; i++) {
u16 tmp =
@@ -725,6 +723,11 @@ static int cx231xx_audio_init(struct cx231xx *dev)
}
 
return 0;
+
+err_free_card:
+   snd_card_free(card);
+
+   return err;
 }
 
 static int cx231xx_audio_fini(struct cx231xx *dev)
-- 
2.12.0

[PATCH 2/6] [media] usbvision: fix NULL-deref at probe

[Johan Hovold]

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: 2a9f8b5d25be ("V4L/DVB (5206): Usbvision: set alternate interface
modification")
Cc: stable <sta...@vger.kernel.org> # 2.6.21
Cc: Thierry MERLE <thierry.me...@free.fr>
Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/usb/usbvision/usbvision-video.c | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/usbvision/usbvision-video.c 
b/drivers/media/usb/usbvision/usbvision-video.c
index f5c635a67d74..f9c3325aa4d4 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1501,7 +1501,14 @@ static int usbvision_probe(struct usb_interface *intf,
}
 
for (i = 0; i < usbvision->num_alt; i++) {
-   u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
+   u16 tmp;
+
+   if (uif->altsetting[i].desc.bNumEndpoints < 2) {
+   ret = -ENODEV;
+   goto err_pkt;
+   }
+
+   tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
  wMaxPacketSize);
usbvision->alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
-- 
2.12.0

[PATCH 6/6] [media] gspca: konica: add missing endpoint sanity check

[Johan Hovold]

Make sure to check the number of endpoints to avoid accessing memory
beyond the endpoint array should a device lack the expected endpoints.

Note that, as far as I can tell, the gspca framework has already made
sure there is at least one endpoint in the current alternate setting so
there should be no risk for a NULL-pointer dereference here.

Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for
konica chipset using cams")
Cc: stable <sta...@vger.kernel.org> # 2.6.37
Cc: Hans de Goede <hdego...@redhat.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/usb/gspca/konica.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/usb/gspca/konica.c b/drivers/media/usb/gspca/konica.c
index 71f273377f83..31b2117e8f1d 100644
--- a/drivers/media/usb/gspca/konica.c
+++ b/drivers/media/usb/gspca/konica.c
@@ -184,6 +184,9 @@ static int sd_start(struct gspca_dev *gspca_dev)
return -EIO;
}
 
+   if (alt->desc.bNumEndpoints < 2)
+   return -ENODEV;
+
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 
n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv;
-- 
2.12.0

[PATCH 5/6] [media] cx231xx-audio: fix NULL-deref at probe

[Johan Hovold]

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Cc: stable <sta...@vger.kernel.org> # 2.6.30
Cc: Sri Deevi <srinivasa.de...@conexant.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/usb/cx231xx/cx231xx-audio.c | 17 +++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/cx231xx/cx231xx-audio.c 
b/drivers/media/usb/cx231xx/cx231xx-audio.c
index f3729d6eb46a..a050d125934c 100644
--- a/drivers/media/usb/cx231xx/cx231xx-audio.c
+++ b/drivers/media/usb/cx231xx/cx231xx-audio.c
@@ -697,6 +697,11 @@ static int cx231xx_audio_init(struct cx231xx *dev)
hs_config_info[0].interface_info.
audio_index + 1];
 
+   if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) {
+   err = -ENODEV;
+   goto err_free_card;
+   }
+
adev->end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].desc.
bEndpointAddress;
@@ -712,8 +717,14 @@ static int cx231xx_audio_init(struct cx231xx *dev)
}
 
for (i = 0; i < adev->num_alt; i++) {
-   u16 tmp =
-   le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.
+   u16 tmp;
+
+   if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) {
+   err = -ENODEV;
+   goto err_free_pkt_size;
+   }
+
+   tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.
wMaxPacketSize);
adev->alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
@@ -724,6 +735,8 @@ static int cx231xx_audio_init(struct cx231xx *dev)
 
return 0;
 
+err_free_pkt_size:
+   kfree(adev->alt_max_pkt_size);
 err_free_card:
snd_card_free(card);
 
-- 
2.12.0

[PATCH 3/6] [media] cx231xx-cards: fix NULL-deref at probe

[Johan Hovold]

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Cc: stable <sta...@vger.kernel.org> # 2.6.30
Cc: Sri Deevi <srinivasa.de...@conexant.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/usb/cx231xx/cx231xx-cards.c | 45 +++
 1 file changed, 40 insertions(+), 5 deletions(-)

diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c 
b/drivers/media/usb/cx231xx/cx231xx-cards.c
index f730fdbc9156..f850267a0095 100644
--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
@@ -1426,6 +1426,9 @@ static int cx231xx_init_v4l2(struct cx231xx *dev,
 
uif = udev->actconfig->interface[idx];
 
+   if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
+   return -ENODEV;
+
dev->video_mode.end_point_addr = 
uif->altsetting[0].endpoint[isoc_pipe].desc.bEndpointAddress;
dev->video_mode.num_alt = uif->num_altsetting;
 
@@ -1439,7 +1442,12 @@ static int cx231xx_init_v4l2(struct cx231xx *dev,
return -ENOMEM;
 
for (i = 0; i < dev->video_mode.num_alt; i++) {
-   u16 tmp = 
le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize);
+   u16 tmp;
+
+   if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
+   return -ENODEV;
+
+   tmp = 
le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize);
dev->video_mode.alt_max_pkt_size[i] = (tmp & 0x07ff) * (((tmp & 
0x1800) >> 11) + 1);
dev_dbg(dev->dev,
"Alternate setting %i, max size= %i\n", i,
@@ -1456,6 +1464,9 @@ static int cx231xx_init_v4l2(struct cx231xx *dev,
}
uif = udev->actconfig->interface[idx];
 
+   if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
+   return -ENODEV;
+
dev->vbi_mode.end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].desc.
bEndpointAddress;
@@ -1472,8 +1483,12 @@ static int cx231xx_init_v4l2(struct cx231xx *dev,
return -ENOMEM;
 
for (i = 0; i < dev->vbi_mode.num_alt; i++) {
-   u16 tmp =
-   le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
+   u16 tmp;
+
+   if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
+   return -ENODEV;
+
+   tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
desc.wMaxPacketSize);
dev->vbi_mode.alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
@@ -1493,6 +1508,9 @@ static int cx231xx_init_v4l2(struct cx231xx *dev,
}
uif = udev->actconfig->interface[idx];
 
+   if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
+   return -ENODEV;
+
dev->sliced_cc_mode.end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].desc.
bEndpointAddress;
@@ -1507,7 +1525,12 @@ static int cx231xx_init_v4l2(struct cx231xx *dev,
return -ENOMEM;
 
for (i = 0; i < dev->sliced_cc_mode.num_alt; i++) {
-   u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
+   u16 tmp;
+
+   if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
+   return -ENODEV;
+
+   tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
desc.wMaxPacketSize);
dev->sliced_cc_mode.alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
@@ -1676,6 +1699,11 @@ static int cx231xx_usb_probe(struct usb_interface 
*interface,
}
uif = udev->actconfig->interface[idx];
 
+   if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) {
+   retval = -ENODEV;
+   goto err_video_alt;
+   }
+
dev->ts1_mode.end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].
desc.bEndpointAddress;
@@ -1693,7 +1721,14 @@ static int cx231xx_usb_probe(struct usb_interface 
*interface,
}
 
for (i = 0; i < dev->ts1_mode.num_alt; i++) {
-   u16 tmp = le16_to_cpu(uif->altsetting[i].
+   u16 tmp;
+
+   if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 
1) {
+

[PATCH 1/6] [media] dib0700: fix NULL-deref at probe

[Johan Hovold]

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge
Nova-TD")
Cc: stable <sta...@vger.kernel.org> # 3.16
Cc: Mauro Carvalho Chehab <mche...@kernel.org>
Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/media/usb/dvb-usb/dib0700_core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/usb/dvb-usb/dib0700_core.c 
b/drivers/media/usb/dvb-usb/dib0700_core.c
index dd5edd3a17ee..08acdd32e412 100644
--- a/drivers/media/usb/dvb-usb/dib0700_core.c
+++ b/drivers/media/usb/dvb-usb/dib0700_core.c
@@ -809,6 +809,9 @@ int dib0700_rc_setup(struct dvb_usb_device *d, struct 
usb_interface *intf)
 
/* Starting in firmware 1.20, the RC info is provided on a bulk pipe */
 
+   if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1)
+   return -ENODEV;
+
purb = usb_alloc_urb(0, GFP_KERNEL);
if (purb == NULL)
return -ENOMEM;
-- 
2.12.0

[PATCH 0/6] [media] fix missing endpoint sanity checks

[Johan Hovold]

This series fixes a number of NULL-pointer dereferences (and related
issues) due to missing endpoint sanity checks that can be triggered by a
malicious USB device.

Johan


Johan Hovold (6):
  [media] dib0700: fix NULL-deref at probe
  [media] usbvision: fix NULL-deref at probe
  [media] cx231xx-cards: fix NULL-deref at probe
  [media] cx231xx-audio: fix init error path
  [media] cx231xx-audio: fix NULL-deref at probe
  [media] gspca: konica: add missing endpoint sanity check

 drivers/media/usb/cx231xx/cx231xx-audio.c | 42 +
 drivers/media/usb/cx231xx/cx231xx-cards.c | 45 ---
 drivers/media/usb/dvb-usb/dib0700_core.c  |  3 ++
 drivers/media/usb/gspca/konica.c  |  3 ++
 drivers/media/usb/usbvision/usbvision-video.c |  9 +-
 5 files changed, 83 insertions(+), 19 deletions(-)

-- 
2.12.0

[PATCH] [media] mceusb: fix NULL-deref at probe

[Johan Hovold]

Make sure to check for the required out endpoint to avoid dereferencing
a NULL-pointer in mce_request_packet should a malicious device lack such
an endpoint. Note that this path it hit during probe.

Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver")
Cc: stable <sta...@vger.kernel.org> # 2.6.36
Signed-off-by: Johan Hovold <jo...@kernel.org>
---

Found through inspection, compile tested only.

Johan


 drivers/media/rc/mceusb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index 238d8eaf7d94..93b16fe3ab38 100644
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1288,8 +1288,8 @@ static int mceusb_dev_probe(struct usb_interface *intf,
}
}
}
-   if (ep_in == NULL) {
-   dev_dbg(>dev, "inbound and/or endpoint not found");
+   if (!ep_in || !ep_out) {
+   dev_dbg(>dev, "required endpoints not found\n");
return -ENODEV;
}
 
-- 
2.12.0