Received: by 2002:a4a:301c:0:0:0:0:0 with SMTP id q28-v6csp834157oof;
        Tue, 25 Sep 2018 05:24:10 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63EGqL4HxCxz9gxbQZ/GuBz2XT8GrmI9Dbs4pT+a7mYg19V9H1u59pHlDjCxkWTRvCDBTx2
X-Received: by 2002:a65:53c9:: with SMTP id z9-v6mr830812pgr.203.1537878250637;
        Tue, 25 Sep 2018 05:24:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537878250; cv=none;
        d=google.com; s=arc-20160816;
        b=raQGC5LFLG+sET+136w58WnAsdOQiBMYDNuCKQRNU0rn+xzzwnbQWF8+wsUy7yB6Ng
         dRvWguq/4dj8uSpCm3wxLEQo5FfDxmiLZQDJrhsf1CrJ26rs30+nZLw5IVhuMl7JdZd7
         KdrQlCd9hkev1t69P6kwkly8lTVCJjHllajZBbW7tYuIgGBAI6wt4cuSrWDMAAlrr+Te
         q8J/aENUOP86w1iMhcJvApI1YZ8p9oRPBYFaz8UxtaCeHdA0lh5RyUqbdrK9lyzesVQO
         EKDuKmkJfPhsYx0T+MDB0VdQchSQtXKBUt59vmXm0zjh3gw6EjZXwbdGnZ9SGnuuckDL
         nufg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from;
        bh=bx4WzTdlM2ZckCSnrQYWRvoTbRFf1w3bHnyv/NDNY4Q=;
        b=wmvxza6xivTescnKzUjM6eRPe+DwIl1kBwJBzYCTe7iysorS77UKt5voBjInYX72GR
         B2qoqHPtn5vkJPA+b7WBSZ42u62OQ89lMG4uY9BXdT/nItpN+VmqqHOhtOTFivXKIJAo
         f1EmgjJvB87B6VGEP5tMhcfnC2Orc4Ke1EgT0vh29pD8MAlJIw36E7jaVq2RQ+0ChT8X
         1nZHqJVee6DY6l6cpg+7cG1hahlKbLPgqgVsHGYoA3TJF1DwmzfXWgO6S2lgUws2tmzV
         WZ4I6ni4VPC53uT2+9SFcJOeUBnYMq3pjejrsVgqTeAr9avQo77aNqzYln1W8epmi6kK
         ImwQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m6-v6si2318164pgg.265.2018.09.25.05.23.54;
        Tue, 25 Sep 2018 05:24:10 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729059AbeIYSad (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Tue, 25 Sep 2018 14:30:33 -0400
Received: from mx1.redhat.com ([209.132.183.28]:51484 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728468AbeIYSad (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 25 Sep 2018 14:30:33 -0400
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 2288C81F12;
        Tue, 25 Sep 2018 12:23:15 +0000 (UTC)
Received: from rules.brq.redhat.com (dhcp-10-40-5-28.brq.redhat.com [10.40.5.28])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 3117710021B2;
        Tue, 25 Sep 2018 12:23:13 +0000 (UTC)
From:   Vladis Dronov <vdronov@redhat.com>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Alan Stern <stern@rowland.harvard.edu>,
        Oliver Neukum <oneukum@suse.com>,
        Hans de Goede <hdegoede@redhat.com>,
        syzkaller@googlegroups.com, linux-usb@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc:     stable <stable@vger.kernel.org>, Vladis Dronov <vdronov@redhat.com>
Subject: [PATCH] usb: usbfs: fix crash in check_ctrlrecip()->usb_find_alt_setting()
Date:   Tue, 25 Sep 2018 14:22:42 +0200
Message-Id: <20180925122242.10950-1-vdronov@redhat.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 25 Sep 2018 12:23:15 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

ps->dev->actconfig can be NULL and cause NULL-deref in usb_find_alt_setting()
before c9a4cb204e9e. fix this anyway by checking that ps->dev->actconfig is not
NULL, so usb_find_alt_setting() is not called with a known-bad argument.

Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com
---
 drivers/usb/core/devio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 6ce77b33da61..26047620b003 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -824,7 +824,7 @@ static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
 	 * class specification, which we always want to allow as it is used
 	 * to query things like ink level, etc.
 	 */
-	if (requesttype == 0xa1 && request == 0) {
+	if (requesttype == 0xa1 && request == 0 && ps->dev->actconfig) {
 		alt_setting = usb_find_alt_setting(ps->dev->actconfig,
 						   index >> 8, index & 0xff);
 		if (alt_setting
-- 
2.14.4