Input: ati_remote2 - fix crashes on detecting device with invalid descriptor

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.

The full disclosure: http://seclists.org/bugtraq/2016/Mar/90

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

authored by

Vladis Dronov and committed by

Dmitry Torokhov 10 years ago 950336ba 82be788c

+30 -6

1 changed file

expand all

drivers

input

misc

ati_remote2.c

+30 -6

drivers/input/misc/ati_remote2.c

··· 817 817 818 818 ar2->udev = udev; 819 819 820 + /* Sanity check, first interface must have an endpoint */ 821 + if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { 822 + dev_err(&interface->dev, 823 + "%s(): interface 0 must have an endpoint\n", __func__); 824 + r = -ENODEV; 825 + goto fail1; 826 + } 820 827 ar2->intf[0] = interface; 821 828 ar2->ep[0] = &alt->endpoint[0].desc; 822 829 830 + /* Sanity check, the device must have two interfaces */ 823 831 ar2->intf[1] = usb_ifnum_to_if(udev, 1); 832 + if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) { 833 + dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n", 834 + __func__, udev->actconfig->desc.bNumInterfaces); 835 + r = -ENODEV; 836 + goto fail1; 837 + } 838 + 824 839 r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2); 825 840 if (r) 826 841 goto fail1; 842 + 843 + /* Sanity check, second interface must have an endpoint */ 827 844 alt = ar2->intf[1]->cur_altsetting; 845 + if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { 846 + dev_err(&interface->dev, 847 + "%s(): interface 1 must have an endpoint\n", __func__); 848 + r = -ENODEV; 849 + goto fail2; 850 + } 828 851 ar2->ep[1] = &alt->endpoint[0].desc; 829 852 830 853 r = ati_remote2_urb_init(ar2); 831 854 if (r) 832 - goto fail2; 855 + goto fail3; 833 856 834 857 ar2->channel_mask = channel_mask; 835 858 ar2->mode_mask = mode_mask; 836 859 837 860 r = ati_remote2_setup(ar2, ar2->channel_mask); 838 861 if (r) 839 - goto fail2; 862 + goto fail3; 840 863 841 864 usb_make_path(udev, ar2->phys, sizeof(ar2->phys)); 842 865 strlcat(ar2->phys, "/input0", sizeof(ar2->phys)); ··· 868 845 869 846 r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group); 870 847 if (r) 871 - goto fail2; 848 + goto fail3; 872 849 873 850 r = ati_remote2_input_init(ar2); 874 851 if (r) 875 - goto fail3; 852 + goto fail4; 876 853 877 854 usb_set_intfdata(interface, ar2); 878 855 ··· 880 857 881 858 return 0; 882 859 883 - fail3: 860 + fail4: 884 861 sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group); 885 - fail2: 862 + fail3: 886 863 ati_remote2_urb_cleanup(ar2); 864 + fail2: 887 865 usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]); 888 866 fail1: 889 867 kfree(ar2);