mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
|
From b684cb33d6867e10ba45375a12ef9f3ceb6f0aa7 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||
|
|
Date: Mon, 14 Mar 2016 09:33:40 -0700
|
||
|
|
Subject: [PATCH] Input: powermate - fix oops with malicious USB descriptors
|
||
|
|
|
||
|
|
[ Upstream commit 9c6ba456711687b794dcf285856fc14e2c76074f ]
|
||
|
|
|
||
|
|
The powermate driver expects at least one valid USB endpoint in its
|
||
|
|
probe function. If given malicious descriptors that specify 0 for
|
||
|
|
the number of endpoints, it will crash. Validate the number of
|
||
|
|
endpoints on the interface before using them.
|
||
|
|
|
||
|
|
The full report for this issue can be found here:
|
||
|
|
http://seclists.org/bugtraq/2016/Mar/85
|
||
|
|
|
||
|
|
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||
|
|
Cc: stable <stable@vger.kernel.org>
|
||
|
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||
|
|
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
||
|
|
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
||
|
|
---
|
||
|
|
drivers/input/misc/powermate.c | 3 +++
|
||
|
|
1 file changed, 3 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
|
||
|
|
index 63b539d3dabae..84909a12ff36c 100644
|
||
|
|
--- a/drivers/input/misc/powermate.c
|
||
|
|
+++ b/drivers/input/misc/powermate.c
|
||
|
|
@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
|
||
|
|
int error = -ENOMEM;
|
||
|
|
|
||
|
|
interface = intf->cur_altsetting;
|
||
|
|
+ if (interface->desc.bNumEndpoints < 1)
|
||
|
|
+ return -EINVAL;
|
||
|
|
+
|
||
|
|
endpoint = &interface->endpoint[0].desc;
|
||
|
|
if (!usb_endpoint_is_int_in(endpoint))
|
||
|
|
return -EIO;
|