[PATCH] cypress_m8: add sanity checking
An attack using missing endpoints exists. CVE-2016-3137 Signed-off-by: Oliver NeukumCC: sta...@vger.kernel.org --- drivers/usb/serial/cypress_m8.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c index 01bf533..1c6cbf5 100644 --- a/drivers/usb/serial/cypress_m8.c +++ b/drivers/usb/serial/cypress_m8.c @@ -447,6 +447,9 @@ static int cypress_generic_port_probe(struct usb_serial_port *port) struct usb_serial *serial = port->serial; struct cypress_private *priv; + if (!port->interrupt_out_urb || !port->interrupt_in_urb) + return -ENODEV; + priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); if (!priv) return -ENOMEM; -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] cypress_m8: add sanity checking
On Thu, Mar 17, 2016 at 11:07:31AM +0100, Oliver Neukum wrote: > An attack using missing endpoints exists. > CVE-2016-3137 > > Signed-off-by: Oliver Neukum> CC: sta...@vger.kernel.org > --- > drivers/usb/serial/cypress_m8.c | 12 ++-- > 1 file changed, 6 insertions(+), 6 deletions(-) > > diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c > index 01bf533..8eeff72 100644 > --- a/drivers/usb/serial/cypress_m8.c > +++ b/drivers/usb/serial/cypress_m8.c > @@ -447,6 +447,12 @@ static int cypress_generic_port_probe(struct > usb_serial_port *port) > struct usb_serial *serial = port->serial; > struct cypress_private *priv; > > + if (!port->interrupt_out_urb || !port->interrupt_in_urb) { > + dev_err(>dev, > + "cypress_m8 is missing a required endpoint"); Trailing '\n' missing. No need to include the driver name here, it will be added by dev_err. Also please include a patch revision in the summary when resending (and a changelog below the cut-off line). Thanks, Johan -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] cypress_m8: add sanity checking
On Wed, Mar 16, 2016 at 03:19:49PM +0100, Oliver Neukum wrote: > An attack using missing endpoints exists. > CVE-2016-3137 > > Signed-off-by: Oliver Neukum> CC: sta...@vger.kernel.org > --- > drivers/usb/serial/cypress_m8.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c > index 01bf533..1c6cbf5 100644 > --- a/drivers/usb/serial/cypress_m8.c > +++ b/drivers/usb/serial/cypress_m8.c > @@ -447,6 +447,9 @@ static int cypress_generic_port_probe(struct > usb_serial_port *port) > struct usb_serial *serial = port->serial; > struct cypress_private *priv; > > + if (!port->interrupt_out_urb || !port->interrupt_in_urb) > + return -ENODEV; > + This look good, but would you mind adding dev_err in case the expected endpoints are missing? You can also remove the interrupt-in-urb check in open(). > priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); > if (!priv) > return -ENOMEM; Thanks, Johan -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] cypress_m8: add sanity checking
An attack using missing endpoints exists. CVE-2016-3137 Signed-off-by: Oliver NeukumCC: sta...@vger.kernel.org --- drivers/usb/serial/cypress_m8.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c index 01bf533..8eeff72 100644 --- a/drivers/usb/serial/cypress_m8.c +++ b/drivers/usb/serial/cypress_m8.c @@ -447,6 +447,12 @@ static int cypress_generic_port_probe(struct usb_serial_port *port) struct usb_serial *serial = port->serial; struct cypress_private *priv; + if (!port->interrupt_out_urb || !port->interrupt_in_urb) { + dev_err(>dev, + "cypress_m8 is missing a required endpoint"); + return -ENODEV; + } + priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); if (!priv) return -ENOMEM; @@ -606,12 +612,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port) cypress_set_termios(tty, port, >tmp_termios); /* setup the port and start reading from the device */ - if (!port->interrupt_in_urb) { - dev_err(>dev, "%s - interrupt_in_urb is empty!\n", - __func__); - return -1; - } - usb_fill_int_urb(port->interrupt_in_urb, serial->dev, usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), port->interrupt_in_urb->transfer_buffer, -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html