Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3783954img; Mon, 25 Mar 2019 18:24:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqzx+hz+jjyOxzZhOvlLCnnPI/ZnJ1qHYkLautQ0xLkbmPP8RA+XGZOzT6ycKP1HfhcVc8kK X-Received: by 2002:a63:2a8f:: with SMTP id q137mr26070660pgq.31.1553563449601; Mon, 25 Mar 2019 18:24:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553563449; cv=none; d=google.com; s=arc-20160816; b=aVrlDJnc9Ohq41dYSMmLsRuPXGo9W2+wC/XQuKTHZiBcpxsbPiRvX2jkSIo2KrRpIN ydaKmmvR7YxoEkx6TDa0V4P5tUxu1rt4+TqA/672fynzyKpWaKTEzB2zOCk7EdXFDzwm CxzOXoZkqpxEuwwyvT/0rP3VWuhABkrT6rb/CbSJHfK9tbrUwLqrZfiJ8XJ0ivwdw5Tt S2soQhuB7/kDqpUxGtHJ0pf3w6exXQqFMiJHQJHMgohOMOpEBqhmOQ9JZw6Gzz5wALjY P0l/vL9EnaW9OCRPu63dHPIqkysO1N3+I7l4+J3JGsYC3cFifQ3IksbhMWdtmRufFzaA OD/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=w2wDC5RWI4ldF7vnJUVewAzG7tGB7SqU7lofvAK8Bkw=; b=LVyoq2mJyyMFKF82AkjgzOCiMectPAtXDvo28OMzJvd7ohpT1LHQnJfihMOgj+PF1r nnJ4d8wKxMzLFqMY4YhiigcfUJ6t2IhF/uc+xbgym6NEIV2gZxl90uvr5LHrNgSfAFzJ V0Oc0CdBbrgI/ll1d+6Rs7vKlMYkYDLe3oKK1q6QCCtqKbqY2e5NBIJkX9Q8sS6yHMcB CLTvjda73ktgz3FGor+XOD4N+Cs5IGUB+LIilRPZy6cxVoruNnAn9HV12wM+CtD43Zra uvnquTCWwOdvD1S5FkpTYz3CtfIcL27jo/7XJyFqpNPunt+vzGACabQ/QZ9XsDUIAOSt hy3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vJ3gUwIh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x4si14960142pll.170.2019.03.25.18.23.54; Mon, 25 Mar 2019 18:24:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vJ3gUwIh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730624AbfCZBXL (ORCPT + 99 others); Mon, 25 Mar 2019 21:23:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:57144 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727412AbfCZBXK (ORCPT ); Mon, 25 Mar 2019 21:23:10 -0400 Received: from localhost (li1825-44.members.linode.com [172.104.248.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 71F27206DF; Tue, 26 Mar 2019 01:23:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553563389; bh=M+7MENbk1nNPgov0KHp8UWU2y624IzxWo/AlDpDqK28=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=vJ3gUwIhTPMAPiD+BGfROqtuvcpmcJryICFmlfj72ubg7NlTLD+WlM1HgGz+8fsSu MzLYFgDl1Zg+DrJdmCgVXgJ/KMIiUO497ArDg7MK81kp/7JN8buEK3Fhnha9xCsCkV qv74qpHuZ4czfZ/LSvoTOUOU3ROJj5Y+a/mt4uKg= Date: Tue, 26 Mar 2019 10:13:19 +0900 From: Greg Kroah-Hartman To: Arnd Bergmann Cc: stable@vger.kernel.org, Kees Cook , Sebastian Andrzej Siewior , "Gustavo A. R. Silva" , Josh Boyer , Ralf Spenneberg , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [BACKPORT 4.4.y 04/25] USB: iowarrior: fix oops with malicious USB descriptors Message-ID: <20190326011319.GC29420@kroah.com> References: <20190322154425.3852517-1-arnd@arndb.de> <20190322154425.3852517-5-arnd@arndb.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190322154425.3852517-5-arnd@arndb.de> User-Agent: Mutt/1.11.4 (2019-03-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote: > From: Josh Boyer > > The iowarrior driver expects at least one valid endpoint. If given > malicious descriptors that specify 0 for the number of endpoints, > it will crash in the probe function. Ensure there is at least > one endpoint on the interface before using it. > > The full report of this issue can be found here: > http://seclists.org/bugtraq/2016/Mar/87 > > Reported-by: Ralf Spenneberg > Cc: stable > Signed-off-by: Josh Boyer > Signed-off-by: Greg Kroah-Hartman > (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0) > Signed-off-by: Arnd Bergmann > --- > drivers/usb/misc/iowarrior.c | 6 ++++++ > 1 file changed, 6 insertions(+) This commit has been in the tree for a long time. It was in the 4.4.7 release, back in April 2016. And then it was reverted in commit b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke systems. So why add it back, the correct functionality should be there today, right? thanks, greg k-h