Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752363AbcDRC12 (ORCPT ); Sun, 17 Apr 2016 22:27:28 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:35423 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752324AbcDRC1Z (ORCPT ); Sun, 17 Apr 2016 22:27:25 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ralf Spenneberg , Vladis Dronov , Mauro Carvalho Chehab Subject: [PATCH 3.14 36/37] [media] usbvision: fix crash on detecting device with invalid configuration Date: Mon, 18 Apr 2016 11:26:08 +0900 Message-Id: <20160418022402.709475197@linuxfoundation.org> X-Mailer: git-send-email 2.8.0 In-Reply-To: <20160418022400.661946311@linuxfoundation.org> References: <20160418022400.661946311@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1776 Lines: 49 3.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Vladis Dronov commit fa52bd506f274b7619955917abfde355e3d19ffe upstream. The usbvision driver crashes when a specially crafted usb device with invalid number of interfaces or endpoints is detected. This fix adds checks that the device has proper configuration expected by the driver. Reported-by: Ralf Spenneberg Signed-off-by: Vladis Dronov Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) --- a/drivers/media/usb/usbvision/usbvision-video.c +++ b/drivers/media/usb/usbvision/usbvision-video.c @@ -1546,9 +1546,23 @@ static int usbvision_probe(struct usb_in if (usbvision_device_data[model].interface >= 0) interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; - else + else if (ifnum < dev->actconfig->desc.bNumInterfaces) interface = &dev->actconfig->interface[ifnum]->altsetting[0]; + else { + dev_err(&intf->dev, "interface %d is invalid, max is %d\n", + ifnum, dev->actconfig->desc.bNumInterfaces - 1); + ret = -ENODEV; + goto err_usb; + } + + if (interface->desc.bNumEndpoints < 2) { + dev_err(&intf->dev, "interface %d has %d endpoints, but must" + " have minimum 2\n", ifnum, interface->desc.bNumEndpoints); + ret = -ENODEV; + goto err_usb; + } endpoint = &interface->endpoint[1].desc; + if (!usb_endpoint_xfer_isoc(endpoint)) { dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n", __func__, ifnum);