This is a note to let you know that I've just added the patch titled

    HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl

to the 2.6.32-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_ioctl.patch
and it can be found in the queue-2.6.32 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From d20d5ffab92f00188f360c44c791a5ffb988247c Mon Sep 17 00:00:00 2001
From: Antonio Ospite <[email protected]>
Date: Tue, 5 Oct 2010 17:20:16 +0200
Subject: HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl

From: Antonio Ospite <[email protected]>

commit d20d5ffab92f00188f360c44c791a5ffb988247c upstream.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
IP: [<ffffffffa02c66b4>] hidraw_ioctl+0xfc/0x32c [hid]
[...]

This is reproducible by disconnecting the device while userspace does
ioctl in a loop and doesn't check return values in order to exit the
loop.

Signed-off-by: Antonio Ospite <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 drivers/hid/hidraw.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -237,11 +237,16 @@ static long hidraw_ioctl(struct file *fi
        struct inode *inode = file->f_path.dentry->d_inode;
        unsigned int minor = iminor(inode);
        long ret = 0;
-       /* FIXME: What stops hidraw_table going NULL */
-       struct hidraw *dev = hidraw_table[minor];
+       struct hidraw *dev;
        void __user *user_arg = (void __user*) arg;
 
        lock_kernel();
+       dev = hidraw_table[minor];
+       if (!dev) {
+               ret = -ENODEV;
+               goto out;
+       }
+
        switch (cmd) {
                case HIDIOCGRDESCSIZE:
                        if (put_user(dev->hid->rsize, (int __user *)arg))
@@ -314,6 +319,7 @@ static long hidraw_ioctl(struct file *fi
 
                ret = -ENOTTY;
        }
+out:
        unlock_kernel();
        return ret;
 }


Patches currently in stable-queue which might be from [email protected] 
are

queue-2.6.32/hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_ioctl.patch

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to