Re: [BACKPORT 4.4.y 04/25] USB: iowarrior: fix oops with malicious USB descriptors

From: Arnd Bergmann
Date: Tue Mar 26 2019 - 04:21:00 EST


On Tue, Mar 26, 2019 at 2:23 AM Greg Kroah-Hartman
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote:
> > From: Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx>
> >
> > The iowarrior driver expects at least one valid endpoint. If given
> > malicious descriptors that specify 0 for the number of endpoints,
> > it will crash in the probe function. Ensure there is at least
> > one endpoint on the interface before using it.
> >
> > The full report of this issue can be found here:
> > http://seclists.org/bugtraq/2016/Mar/87
> >
> > Reported-by: Ralf Spenneberg <ralf@xxxxxxxxxxxxxx>
> > Cc: stable <stable@xxxxxxxxxxxxxxx>
> > Signed-off-by: Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> > (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0)
> > Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>
> > ---
> > drivers/usb/misc/iowarrior.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
>
> This commit has been in the tree for a long time. It was in the 4.4.7
> release, back in April 2016. And then it was reverted in commit
> b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke
> systems. So why add it back, the correct functionality should be there
> today, right?

Sorry I missed that history. The script I used to identify patches noticed
that this patch was not applied, but I did not have a check for already-
reverted patches.

Chunyan, Baolin: it seems the spreadtrum 4.4 kernel got this wrong
as well, by backporting the patch again on top of 4.4.172. Can you check
the latest internal version for this?

Arnd