git.openpandora.org / pandora-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: e0dbd4b)
USB: usb_driver_claim_interface: add sanity checking
authorOliver Neukum <oneukum@suse.com>
Wed, 16 Mar 2016 12:26:17 +0000 (13:26 +0100)
committerBen Hutchings <ben@decadent.org.uk>
Sat, 30 Apr 2016 22:05:19 +0000 (00:05 +0200)
commit 0b818e3956fc1ad976bee791eadcbb3b5fec5bfd upstream.

Attacks that trick drivers into passing a NULL pointer
to usb_driver_claim_interface() using forged descriptors are
known. This thwarts them by sanity checking.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
drivers/usb/core/driver.c patch | blob | history

diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index c105ba3..c595714 100644 (file)
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -428,9 +428,13 @@ static int usb_unbind_interface(struct device *dev)
 int usb_driver_claim_interface(struct usb_driver *driver,
                                struct usb_interface *iface, void *priv)
 {
-       struct device *dev = &iface->dev;
+       struct device *dev;
        int retval = 0;
 
+       if (!iface)
+               return -ENODEV;
+
+       dev = &iface->dev;
        if (dev->driver)
                return -EBUSY;
 
Pandora Kernel Repository