Re: [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors

From: Ben Hutchings
Date: Mon Apr 11 2016 - 21:37:49 EST


On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:

> 4.5-stable review patch.ÂÂIf anyone has any objections, please let me know.
>
> ------------------
>
> From: Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx>
>
> commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.
>
> The iowarrior driver expects at least one valid endpoint.ÂÂIf given
> malicious descriptors that specify 0 for the number of endpoints,
> it will crash in the probe function.ÂÂEnsure there is at least
> one endpoint on the interface before using it.
[...]

Which means our imaginary attacker will move on to providing a single
endpoint of the wrong type. ÂYou've fixed the driver to reject the PoC
descriptor without thinking about what the driver actually requires.

I don't see the point of applying this to stable; it doesn't provide
any meaningful security benefit.

Ben.

--
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.

Attachment: signature.asc
Description: This is a digitally signed message part