|
 |
162a279 |
From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001
|
|
|
162a279 |
From: Josh Boyer <jwboyer@fedoraproject.org>
|
|
|
162a279 |
Date: Mon, 14 Mar 2016 10:02:51 -0400
|
|
|
162a279 |
Subject: [PATCH] USB: input: powermate: fix oops with malicious USB
|
|
|
162a279 |
descriptors
|
|
|
162a279 |
|
|
|
162a279 |
The powermate driver expects at least one valid USB endpoint in its
|
|
|
162a279 |
probe function. If given malicious descriptors that specify 0 for
|
|
|
162a279 |
the number of endpoints, it will crash. Validate the number of
|
|
|
162a279 |
endpoints on the interface before using them.
|
|
|
162a279 |
|
|
|
162a279 |
The full report for this issue can be found here:
|
|
|
162a279 |
http://seclists.org/bugtraq/2016/Mar/85
|
|
|
162a279 |
|
|
|
162a279 |
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
|
|
162a279 |
Cc: stable <stable@vger.kernel.org>
|
|
|
162a279 |
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|
|
162a279 |
---
|
|
|
162a279 |
drivers/input/misc/powermate.c | 3 +++
|
|
|
162a279 |
1 file changed, 3 insertions(+)
|
|
|
162a279 |
|
|
|
162a279 |
diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
|
|
|
162a279 |
index 63b539d3daba..84909a12ff36 100644
|
|
|
162a279 |
--- a/drivers/input/misc/powermate.c
|
|
|
162a279 |
+++ b/drivers/input/misc/powermate.c
|
|
|
162a279 |
@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
|
|
|
162a279 |
int error = -ENOMEM;
|
|
|
162a279 |
|
|
|
162a279 |
interface = intf->cur_altsetting;
|
|
|
162a279 |
+ if (interface->desc.bNumEndpoints < 1)
|
|
|
162a279 |
+ return -EINVAL;
|
|
|
162a279 |
+
|
|
|
162a279 |
endpoint = &interface->endpoint[0].desc;
|
|
|
162a279 |
if (!usb_endpoint_is_int_in(endpoint))
|
|
|
162a279 |
return -EIO;
|
|
|
162a279 |
--
|
|
|
162a279 |
2.5.0
|
|
|
162a279 |
|