Re: [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors

[Greg Kroah-Hartman]

On Tue, Apr 12, 2016 at 02:37:33AM +0100, Ben Hutchings wrote:
> On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:
> 
> > 4.5-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx>
> > 
> > commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.
> > 
> > The iowarrior driver expects at least one valid endpoint.  If given
> > malicious descriptors that specify 0 for the number of endpoints,
> > it will crash in the probe function.  Ensure there is at least
> > one endpoint on the interface before using it.
> [...]
> 
> Which means our imaginary attacker will move on to providing a single
> endpoint of the wrong type.  You've fixed the driver to reject the PoC
> descriptor without thinking about what the driver actually requires.
> 
> I don't see the point of applying this to stable; it doesn't provide
> any meaningful security benefit.

Well, it's one hurdle down, but yes, it needs to be fixed "correctly"
Ideally all of these types of issues can be fixed in the USB core, I
just need to carve out some time to resolve them, but for now, let's
stay in sync with Linus's tree for this patch.

thanks,

greg k-h