Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759493AbcDJTAW (ORCPT ); Sun, 10 Apr 2016 15:00:22 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:53080 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759192AbcDJS66 (ORCPT ); Sun, 10 Apr 2016 14:58:58 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ralf Spenneberg , Josh Boyer , Dmitry Torokhov Subject: [PATCH 4.4 065/210] Input: powermate - fix oops with malicious USB descriptors Date: Sun, 10 Apr 2016 11:34:46 -0700 Message-Id: <20160410183528.955642500@linuxfoundation.org> X-Mailer: git-send-email 2.8.0 In-Reply-To: <20160410183526.651820045@linuxfoundation.org> References: <20160410183526.651820045@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1207 Lines: 38 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Josh Boyer commit 9c6ba456711687b794dcf285856fc14e2c76074f upstream. The powermate driver expects at least one valid USB endpoint in its probe function. If given malicious descriptors that specify 0 for the number of endpoints, it will crash. Validate the number of endpoints on the interface before using them. The full report for this issue can be found here: http://seclists.org/bugtraq/2016/Mar/85 Reported-by: Ralf Spenneberg Signed-off-by: Josh Boyer Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- drivers/input/misc/powermate.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/input/misc/powermate.c +++ b/drivers/input/misc/powermate.c @@ -307,6 +307,9 @@ static int powermate_probe(struct usb_in int error = -ENOMEM; interface = intf->cur_altsetting; + if (interface->desc.bNumEndpoints < 1) + return -EINVAL; + endpoint = &interface->endpoint[0].desc; if (!usb_endpoint_is_int_in(endpoint)) return -EIO;