Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp242541yba; Fri, 12 Apr 2019 02:39:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqynOQjApNBluO4gHlUipiF5KrxIuS/cSZTVDxQ9bP3oggoUrk0xY9GcABcR1q0TVQgZHHWd X-Received: by 2002:a65:6201:: with SMTP id d1mr50393314pgv.28.1555061967649; Fri, 12 Apr 2019 02:39:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555061967; cv=none; d=google.com; s=arc-20160816; b=pIjHxodoHID73wPYRVW5gPakYsJ4AKVTSgAudtfhK5Y9WW/FFDG476bcjeImHMM8uB D9PXdmy8XRCINlOIdH4mA+J7YUVRbDv7+SnLPOl50SjX6xSbmPr1H2SFHW+82LXENiNh GZpKjg9eLrBrXC9FOVqRNairWdzl6VfE9qkGQQtyEALpa94xrfmJTSC/qWzBIdxZaEWd VqIjPsWxT4kF81RDoE+X5a0P/Q8aLmoGxSviIuxa98K7kWdL3wUr0BoPxI5oxroXT1B9 Qlva6uIvZjor2aRHdhFZMYVR/SWrjz0zCDSqtl1qC7Yr6w4WjgUdRoIDf/7hstlD/UMx OvWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=GvmE54vyB2V1TH3b9XcIfl2rFpKkdQtVqNd4bYtbiCw=; b=LQ89oxixRKDGLdoIt3zgMsFyJXrs8vh0HlX7VhpM2n2stZuH/MkCmlsSmV+3Os8M+d ab3q+Qz0SNpJu6jAKVloLwMOfD+cSNY3LedlSxYVbZpyNOd88ShSOkp23DqiZnrNDx+o VKamNAhJ2NB4wSEgkgny/Stdo7mx0tYdHeWzzuy8FIM+mCTsG/mMxELbxeJdUNae7ybE 2roFxq/E9yHHvJS7ICwvqIqWqdi5QLRPWtfNiN2LP4NvfZuWXI4aWdYbuHbfVKkOOeMZ P/xvxOM8rQohOFnQBIsPJNqa4dwzPKNqhPkyCvkH3MTzy7tLUnmycNck6DwG5OYjl7H3 PVWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dJnOHrjP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q61si38664486plb.308.2019.04.12.02.39.11; Fri, 12 Apr 2019 02:39:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dJnOHrjP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726953AbfDLJhf (ORCPT + 99 others); Fri, 12 Apr 2019 05:37:35 -0400 Received: from mail-ua1-f67.google.com ([209.85.222.67]:35597 "EHLO mail-ua1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726913AbfDLJhd (ORCPT ); Fri, 12 Apr 2019 05:37:33 -0400 Received: by mail-ua1-f67.google.com with SMTP id a46so3024427uae.2; Fri, 12 Apr 2019 02:37:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=GvmE54vyB2V1TH3b9XcIfl2rFpKkdQtVqNd4bYtbiCw=; b=dJnOHrjPYRDcvpIqtkL/Vx7ixEGh6stpJQBfe6bInIfTGw1/UFKXrrc5h3XtStZ+WI D4RFBYVZ3Ioa2ti/s94NUIZNnokdaTCkusUEQLFJOTeVOQqUe9xvbYeRNjUR7VoxfYFT elHpN7Q5HlMBQkrkte11ZZB9lXce43Ipal188+FUsv7rsS8dFooDDpX3gJ8wp/AgwAUu 0TCRS7xXv5IEp7Sdcv8C6uMvlJvpV3BOK28/K9W7Hu/9j0/HpzR1Mhgf1AMqm0AOCeDI j89/uZlm9yRhy+XB6hWr7kxQf54y0Z/wQDIHp6YQpbglgHk93tMkdFardQMFTFyubXcl hXjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=GvmE54vyB2V1TH3b9XcIfl2rFpKkdQtVqNd4bYtbiCw=; b=jiMsWKALDT4Qhk5HRn7TEKmMAo6b8AO1ZVbrD4m/8uWkLemq3lLEnQyGijR8KpPrGv +WvtpW7XmpLqUyyihEFnnS+aVkA29dv2Zl3FUUMZaKO/WBmCVg7J3peapPwjDa4B/qdw RftzZMJVYBq2d9YU317G6kncGlMPQGpEE/IYQoMLojwVvALJ9ShtyabyVrbQSle4APEl QivpyHke1zcFRn1Biz7rvaAMC0isY7HCzvdHr1mEOhoYGbBkJhfN/k5ayx3l6pKSOD+c xmvYaaRCLPkuRk0Ui5sEsRywKOLmyAKTEYFJa5dGVe7aIVRCCBAwtFU2A5ASIrhKRpzt Nfhw== X-Gm-Message-State: APjAAAVTSWaHIc8OzhrqKpNCioHsfHkmp/4Fc7dD/E/D7W9F6+je34bq FsPhtuanp7duuyPVF2txNoatX15ch7oGtQLJNs8= X-Received: by 2002:ab0:b90:: with SMTP id c16mr22854602uak.55.1555061852474; Fri, 12 Apr 2019 02:37:32 -0700 (PDT) MIME-Version: 1.0 References: <1555036767-31170-1-git-send-email-92siuyang@gmail.com> <878swf645i.fsf@miraculix.mork.no> <87mukv4mo6.fsf@miraculix.mork.no> In-Reply-To: <87mukv4mo6.fsf@miraculix.mork.no> From: Yang Xiao <92siuyang@gmail.com> Date: Fri, 12 Apr 2019 17:36:48 +0800 Message-ID: Subject: Re: [PATCH] USB: s2255 & stkwebcam: fix oops with malicious USB descriptors To: =?UTF-8?Q?Bj=C3=B8rn_Mork?= Cc: kbuild-all@01.org, linux-usb@vger.kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, greg@kroah.com, mchehab@kernel.org, Kees Cook , hans.verkuil@cisco.com, Young Xiao Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I am so sorry. I misunderstood the reason of CVE-2016-2188. Sorry again!!! On Fri, Apr 12, 2019 at 5:07 PM Bj=C3=B8rn Mork wrote: > > Yang Xiao <92siuyang@gmail.com> writes: > > > If given malicious descritors that spcify 0 for the number of endpoints= , > > then there is a null pointer deference when calling function > > usb_endpoint_is_bulk_in. > > > > for (i =3D 0; i < iface_desc->desc.bNumEndpoints; ++i) { > > Try this: > > #include > int main() > { > int i; > for (i=3D0; i<0; ++i) > printf("%d\n"); > return 0; > } > > How many lines did it print? > > > Bj=C3=B8rn