diff options
| author | Vladis Dronov <vdronov@redhat.com> | 2016-03-23 14:53:46 -0400 |
|---|---|---|
| committer | Dmitry Torokhov <dmitry.torokhov@gmail.com> | 2016-03-23 20:29:29 -0400 |
| commit | 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d (patch) | |
| tree | ed4c695d4b84106f45b362ef3ce2785dde7b8d03 | |
| parent | 82be788c96ed5978d3cb4a00079e26b981a3df3f (diff) | |
Input: ati_remote2 - fix crashes on detecting device with invalid descriptor
The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.
The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
| -rw-r--r-- | drivers/input/misc/ati_remote2.c | 36 |
1 files changed, 30 insertions, 6 deletions
diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c index cfd58e87da26..1c5914cae853 100644 --- a/drivers/input/misc/ati_remote2.c +++ b/drivers/input/misc/ati_remote2.c | |||
| @@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d | |||
| 817 | 817 | ||
| 818 | ar2->udev = udev; | 818 | ar2->udev = udev; |
| 819 | 819 | ||
| 820 | /* Sanity check, first interface must have an endpoint */ | ||
| 821 | if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { | ||
| 822 | dev_err(&interface->dev, | ||
| 823 | "%s(): interface 0 must have an endpoint\n", __func__); | ||
| 824 | r = -ENODEV; | ||
| 825 | goto fail1; | ||
| 826 | } | ||
| 820 | ar2->intf[0] = interface; | 827 | ar2->intf[0] = interface; |
| 821 | ar2->ep[0] = &alt->endpoint[0].desc; | 828 | ar2->ep[0] = &alt->endpoint[0].desc; |
| 822 | 829 | ||
| 830 | /* Sanity check, the device must have two interfaces */ | ||
| 823 | ar2->intf[1] = usb_ifnum_to_if(udev, 1); | 831 | ar2->intf[1] = usb_ifnum_to_if(udev, 1); |
| 832 | if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) { | ||
| 833 | dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n", | ||
| 834 | __func__, udev->actconfig->desc.bNumInterfaces); | ||
| 835 | r = -ENODEV; | ||
| 836 | goto fail1; | ||
| 837 | } | ||
| 838 | |||
| 824 | r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2); | 839 | r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2); |
| 825 | if (r) | 840 | if (r) |
| 826 | goto fail1; | 841 | goto fail1; |
| 842 | |||
| 843 | /* Sanity check, second interface must have an endpoint */ | ||
| 827 | alt = ar2->intf[1]->cur_altsetting; | 844 | alt = ar2->intf[1]->cur_altsetting; |
| 845 | if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) { | ||
| 846 | dev_err(&interface->dev, | ||
| 847 | "%s(): interface 1 must have an endpoint\n", __func__); | ||
| 848 | r = -ENODEV; | ||
| 849 | goto fail2; | ||
| 850 | } | ||
| 828 | ar2->ep[1] = &alt->endpoint[0].desc; | 851 | ar2->ep[1] = &alt->endpoint[0].desc; |
| 829 | 852 | ||
| 830 | r = ati_remote2_urb_init(ar2); | 853 | r = ati_remote2_urb_init(ar2); |
| 831 | if (r) | 854 | if (r) |
| 832 | goto fail2; | 855 | goto fail3; |
| 833 | 856 | ||
| 834 | ar2->channel_mask = channel_mask; | 857 | ar2->channel_mask = channel_mask; |
| 835 | ar2->mode_mask = mode_mask; | 858 | ar2->mode_mask = mode_mask; |
| 836 | 859 | ||
| 837 | r = ati_remote2_setup(ar2, ar2->channel_mask); | 860 | r = ati_remote2_setup(ar2, ar2->channel_mask); |
| 838 | if (r) | 861 | if (r) |
| 839 | goto fail2; | 862 | goto fail3; |
| 840 | 863 | ||
| 841 | usb_make_path(udev, ar2->phys, sizeof(ar2->phys)); | 864 | usb_make_path(udev, ar2->phys, sizeof(ar2->phys)); |
| 842 | strlcat(ar2->phys, "/input0", sizeof(ar2->phys)); | 865 | strlcat(ar2->phys, "/input0", sizeof(ar2->phys)); |
| @@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d | |||
| 845 | 868 | ||
| 846 | r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group); | 869 | r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group); |
| 847 | if (r) | 870 | if (r) |
| 848 | goto fail2; | 871 | goto fail3; |
| 849 | 872 | ||
| 850 | r = ati_remote2_input_init(ar2); | 873 | r = ati_remote2_input_init(ar2); |
| 851 | if (r) | 874 | if (r) |
| 852 | goto fail3; | 875 | goto fail4; |
| 853 | 876 | ||
| 854 | usb_set_intfdata(interface, ar2); | 877 | usb_set_intfdata(interface, ar2); |
| 855 | 878 | ||
| @@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d | |||
| 857 | 880 | ||
| 858 | return 0; | 881 | return 0; |
| 859 | 882 | ||
| 860 | fail3: | 883 | fail4: |
| 861 | sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group); | 884 | sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group); |
| 862 | fail2: | 885 | fail3: |
| 863 | ati_remote2_urb_cleanup(ar2); | 886 | ati_remote2_urb_cleanup(ar2); |
| 887 | fail2: | ||
| 864 | usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]); | 888 | usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]); |
| 865 | fail1: | 889 | fail1: |
| 866 | kfree(ar2); | 890 | kfree(ar2); |