Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4031711img; Tue, 26 Mar 2019 01:21:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqz99JMVUDAetwYUEaZQAiAtmWguPnEWiKvgTNsJZyyrN9k8WI9EQo8L3PkVAVVQTNVyni9v X-Received: by 2002:a17:902:5c5:: with SMTP id f63mr26733714plf.64.1553588507449; Tue, 26 Mar 2019 01:21:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553588507; cv=none; d=google.com; s=arc-20160816; b=ADwEAjXRxzwyxZuMkza8Guk88AelDZpPnVjR8k480o46OaKt9gg7T4bPzyRRlauZtV 8dsZx0iXv2wl8wpxmrkCRfNGOf7MQaYI4xVUFC/QvZie+x2db2F1j2BP5gxWQAnfimOQ foZJGQN17uXOyBFHP6B3uJlwPJbI79qAdGUnrjYRBlTcWWfb/O90ND9bkLvZ7p2rrJhI 1cHpwWi2AMML+V9xbEdmTcApLWFgmoKJklPBH1KGB03I7ygnMFONi1zK4N7i63KW4BFI /FSwktE6fZeAJJnTripbIIANPew1ScESB54DEiILGZ5TwwAnoS3tDHowJGtS/yKi/Opd VDLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=01AgOD1FiCLKydD75Ls4KyfhgM8ZPlrxuRYuNZhSbKQ=; b=gij6mcJsKGyAxgHVRsYHOti++jzr/BezrRq9kwqzCPjrmYk0n1qvM7Tq1T/ng/D0At MLQlRDheya4gK7Y7MHcK8qbuyNLOgGdveTs7ZVJcQO4jfgrlOGvJbI/iR4pfbGzJMFot U8DTtkf8A3NGiL6hM0gWh+rhsUxWxRYG4CGJ95eE04IUISU6b+zuqfBjFYYDu30AnJWH cGybi+J0gNVB/du88847uG62oR8ukcQ+G0+Sv/Wig9FUt0/m4B2D/paZq8iMZ3OM8PmT Om+4XkpcVmTx55Z4jOvRD2LXPjr/DrBel0dMKzfcIJ+qrFkiE1382/ZmPcecWR40aAbb 1Nfw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v69si12495122pgd.276.2019.03.26.01.21.32; Tue, 26 Mar 2019 01:21:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730649AbfCZIU6 (ORCPT + 99 others); Tue, 26 Mar 2019 04:20:58 -0400 Received: from mail-qt1-f194.google.com ([209.85.160.194]:46156 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726042AbfCZIU6 (ORCPT ); Tue, 26 Mar 2019 04:20:58 -0400 Received: by mail-qt1-f194.google.com with SMTP id z17so13478205qts.13; Tue, 26 Mar 2019 01:20:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=01AgOD1FiCLKydD75Ls4KyfhgM8ZPlrxuRYuNZhSbKQ=; b=EE1eCYXL/+0kQkWh/mZW4sUnKJmdEUyAchKybHCSUZ0J5dVwXgj2bXV54j79Uw/POH hMFBBDwEsChI997LGvYh2oDkSC04EDWuJ4bYibXJAU7G4/zPXQerPaelBqjmRH/+HVt6 DlGP42p1mSfrFdjii1/Nr34o8bnASz3aU9cRaxQzjM7FSUwPRwPgoaF8SJ5ESuyZ/Blo CTDaiKz3zpWoBGfGCafUZBfFNZ349J/HT57oXeSMsGnkcuVDUGZSL5sIbG7dcNGkiLso EzbWDNAho3FW6slYCZXSoYaI7Jvca+LEOh1oQpXx+6P8L2f6F9MU8iFFunxzk9hQ5eqO 0L3w== X-Gm-Message-State: APjAAAXkkuOWmgTfVGqzttZlPkmZzdXAebQV3K/rVdVzTJPeShsvK9l5 bNOmKQ39TC9h049M1oU1LaJvM/th21ajeakNqME= X-Received: by 2002:a0c:b501:: with SMTP id d1mr24804782qve.115.1553588457049; Tue, 26 Mar 2019 01:20:57 -0700 (PDT) MIME-Version: 1.0 References: <20190322154425.3852517-1-arnd@arndb.de> <20190322154425.3852517-5-arnd@arndb.de> <20190326011319.GC29420@kroah.com> In-Reply-To: <20190326011319.GC29420@kroah.com> From: Arnd Bergmann Date: Tue, 26 Mar 2019 09:20:40 +0100 Message-ID: Subject: Re: [BACKPORT 4.4.y 04/25] USB: iowarrior: fix oops with malicious USB descriptors To: Greg Kroah-Hartman Cc: "# 3.4.x" , Kees Cook , Sebastian Andrzej Siewior , "Gustavo A. R. Silva" , Josh Boyer , Ralf Spenneberg , USB list , Linux Kernel Mailing List , Chunyan Zhang , Baolin Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 26, 2019 at 2:23 AM Greg Kroah-Hartman wrote: > > On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote: > > From: Josh Boyer > > > > The iowarrior driver expects at least one valid endpoint. If given > > malicious descriptors that specify 0 for the number of endpoints, > > it will crash in the probe function. Ensure there is at least > > one endpoint on the interface before using it. > > > > The full report of this issue can be found here: > > http://seclists.org/bugtraq/2016/Mar/87 > > > > Reported-by: Ralf Spenneberg > > Cc: stable > > Signed-off-by: Josh Boyer > > Signed-off-by: Greg Kroah-Hartman > > (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0) > > Signed-off-by: Arnd Bergmann > > --- > > drivers/usb/misc/iowarrior.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > This commit has been in the tree for a long time. It was in the 4.4.7 > release, back in April 2016. And then it was reverted in commit > b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke > systems. So why add it back, the correct functionality should be there > today, right? Sorry I missed that history. The script I used to identify patches noticed that this patch was not applied, but I did not have a check for already- reverted patches. Chunyan, Baolin: it seems the spreadtrum 4.4 kernel got this wrong as well, by backporting the patch again on top of 4.4.172. Can you check the latest internal version for this? Arnd