2017-10-29 22:14:37 -04:00
|
|
|
From adaad9d866105bcb8f87293a0a675f573a39129d Mon Sep 17 00:00:00 2001
|
2017-10-29 01:48:53 -04:00
|
|
|
From: Vladis Dronov <vdronov@redhat.com>
|
|
|
|
Date: Thu, 31 Mar 2016 10:53:42 -0700
|
|
|
|
Subject: Input: gtco - fix crash on detecting device without endpoints
|
|
|
|
|
2017-10-29 22:14:37 -04:00
|
|
|
commit 162f98dea487206d9ab79fc12ed64700667a894d upstream.
|
|
|
|
|
2017-10-29 01:48:53 -04:00
|
|
|
The gtco driver expects at least one valid endpoint. If given malicious
|
|
|
|
descriptors that specify 0 for the number of endpoints, it will crash in
|
|
|
|
the probe function. Ensure there is at least one endpoint on the interface
|
|
|
|
before using it.
|
|
|
|
|
|
|
|
Also let's fix a minor coding style issue.
|
|
|
|
|
|
|
|
The full correct report of this issue can be found in the public
|
|
|
|
Red Hat Bugzilla:
|
|
|
|
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1283385
|
|
|
|
|
|
|
|
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
|
|
|
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
|
|
|
Cc: stable@vger.kernel.org
|
|
|
|
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
2017-10-29 22:14:37 -04:00
|
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
2017-10-29 01:48:53 -04:00
|
|
|
---
|
|
|
|
drivers/input/tablet/gtco.c | 10 +++++++++-
|
|
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
|
2017-10-29 22:14:37 -04:00
|
|
|
index 29e01ab..a9f8f92 100644
|
2017-10-29 01:48:53 -04:00
|
|
|
--- a/drivers/input/tablet/gtco.c
|
|
|
|
+++ b/drivers/input/tablet/gtco.c
|
2017-10-29 22:14:37 -04:00
|
|
|
@@ -869,6 +869,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
|
2017-10-29 01:48:53 -04:00
|
|
|
goto err_free_buf;
|
|
|
|
}
|
|
|
|
|
|
|
|
+ /* Sanity check that a device has an endpoint */
|
|
|
|
+ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
|
|
|
|
+ dev_err(&usbinterface->dev,
|
|
|
|
+ "Invalid number of endpoints\n");
|
|
|
|
+ error = -EINVAL;
|
|
|
|
+ goto err_free_urb;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
/*
|
|
|
|
* The endpoint is always altsetting 0, we know this since we know
|
|
|
|
* this device only has one interrupt endpoint
|
2017-10-29 22:14:37 -04:00
|
|
|
@@ -890,7 +898,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
|
2017-10-29 01:48:53 -04:00
|
|
|
* HID report descriptor
|
|
|
|
*/
|
|
|
|
if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
|
|
|
|
- HID_DEVICE_TYPE, &hid_desc) != 0){
|
|
|
|
+ HID_DEVICE_TYPE, &hid_desc) != 0) {
|
|
|
|
dev_err(&usbinterface->dev,
|
|
|
|
"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
|
|
|
|
error = -EIO;
|
|
|
|
--
|
|
|
|
cgit v1.1
|
|
|
|
|