tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

USB: usbtmc: add missing endpoint sanity check

USBTMC devices are required to have a bulk-in and a bulk-out endpoint,
but the driver failed to verify this, something which could lead to the
endpoint addresses being taken from uninitialised memory.

Make sure to zero all private data as part of allocation, and add the
missing endpoint sanity check.

Note that this also addresses a more recently introduced issue, where
the interrupt-in-presence flag would also be uninitialised whenever the
optional interrupt-in endpoint is not present. This in turn could lead
to an interrupt urb being allocated, initialised and submitted based on
uninitialised values.

Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Fixes: 5b775f672cc9 ("USB: add USB test and measurement class driver")
Cc: stable <stable@vger.kernel.org> # 2.6.28
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by Johan Hovold and committed by Greg Kroah-Hartman 687e0687 bc1e2154

+9 -1
unified split
+9 -1
drivers/usb/class/usbtmc.c
··· 1381 1381 1382 1382 dev_dbg(&intf->dev, "%s called\n", __func__); 1383 1383 1384 - data = kmalloc(sizeof(*data), GFP_KERNEL); 1384 + data = kzalloc(sizeof(*data), GFP_KERNEL); 1385 1385 if (!data) 1386 1386 return -ENOMEM; 1387 1387 ··· 1444 1444 break; 1445 1445 } 1446 1446 } 1447 + 1448 + if (!data->bulk_out || !data->bulk_in) { 1449 + dev_err(&intf->dev, "bulk endpoints not found\n"); 1450 + retcode = -ENODEV; 1451 + goto err_put; 1452 + } 1453 + 1447 1454 /* Find int endpoint */ 1448 1455 for (n = 0; n < iface_desc->desc.bNumEndpoints; n++) { 1449 1456 endpoint = &iface_desc->endpoint[n].desc; ··· 1519 1512 sysfs_remove_group(&intf->dev.kobj, &capability_attr_grp); 1520 1513 sysfs_remove_group(&intf->dev.kobj, &data_attr_grp); 1521 1514 usbtmc_free_int(data); 1515 + err_put: 1522 1516 kref_put(&data->kref, usbtmc_delete); 1523 1517 return retcode; 1524 1518 }