Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755562AbcDLBhr (ORCPT ); Mon, 11 Apr 2016 21:37:47 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:50685 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753804AbcDLBhq (ORCPT ); Mon, 11 Apr 2016 21:37:46 -0400 Message-ID: <1460425053.25201.94.camel@decadent.org.uk> Subject: Re: [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors From: Ben Hutchings To: Josh Boyer Cc: stable@vger.kernel.org, Ralf Spenneberg , Greg Kroah-Hartman , linux-kernel@vger.kernel.org Date: Tue, 12 Apr 2016 02:37:33 +0100 In-Reply-To: <20160410183459.726977519@linuxfoundation.org> References: <20160410183456.398741366@linuxfoundation.org> <20160410183459.726977519@linuxfoundation.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-SHdWEHOzpVMvSaOhWaLa" X-Mailer: Evolution 3.18.5.1-1 Mime-Version: 1.0 X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2094 Lines: 58 --=-SHdWEHOzpVMvSaOhWaLa Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote: > 4.5-stable review patch.=C2=A0=C2=A0If anyone has any objections, please = let me know. >=20 > ------------------ >=20 > From: Josh Boyer >=20 > commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream. >=20 > The iowarrior driver expects at least one valid endpoint.=C2=A0=C2=A0If g= iven > malicious descriptors that specify 0 for the number of endpoints, > it will crash in the probe function.=C2=A0=C2=A0Ensure there is at least > one endpoint on the interface before using it. [...] Which means our imaginary attacker will move on to providing a single endpoint of the wrong type. =C2=A0You've fixed the driver to reject the PoC descriptor without thinking about what the driver actually requires. I don't see the point of applying this to stable; it doesn't provide any meaningful security benefit. Ben. --=20 Ben Hutchings This sentence contradicts itself - no actually it doesn't. --=-SHdWEHOzpVMvSaOhWaLa Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCgAGBQJXDFFdAAoJEOe/yOyVhhEJaYEP/0Ts9N5ube3h4G513+ln0llp LnIoLVmHAWUMhBTH2tUEhGyjgcm+6txmuAH8NA8AHxDve0T/yQk71IKx+wOlOhzU +HdO8ZC3R9eWKjE96o8VnSpE/WQUO81+YXUbdydxB9hjJJxZOtcwHSj2rJLzv2pd 01qX2dEB4wZIwHF57SlT9XidcAyCh+4bbZnaZj+y5Wi2oVQ6eFv5OEA3BejFWBte CCxMonQhskscVKOgWCs0zOfwF6AcYJp8ZL1rjwbzs7Bflq+TSjJl1wp+nkgJfy9E E2KfJSopsogfQlqBzlb82qbaoEa4//bZjrlPuYJ+Eh8spBPJJmpMdjTuU23mxRKO wh5WBor15mecqx82v4OXrKhb9GgN0YFyQICMjRr5rniJgF2SI/tprhCcDMssw5uv HBTwBytJoxU7Qr5aIsttGoT9LUw+1Q+m+zhmd6SgcBXSBmVCdPcmGeh93sv2SubE m942CaYNV/uTQV9we2ulWhbG346UyiQqb9A1E1MRep+SVs48lJ2iQDkrs1rKFsYT FW2uRxbP8y7nEnhK+IbzraVBbZIOIZa2/lRyh2bTsrLe8huLsnUAek/oZ9ZUdSrA HIWs6QMimtCEUMBbxVKyTy8vcXgT62t14FPUWJyO0g27BcIdKiowCiWjogcHoN/f v80+ViSZzTcRojs05dhY =If/V -----END PGP SIGNATURE----- --=-SHdWEHOzpVMvSaOhWaLa--