Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp142388ybi; Fri, 26 Jul 2019 07:24:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqw9RlYPs53FTrnpYEh19O2io73ry26YQYP4PzogO33GOP71UP/yuvtldVDBpfDnVo0u0fXl X-Received: by 2002:aa7:9819:: with SMTP id e25mr21823082pfl.47.1564151084598; Fri, 26 Jul 2019 07:24:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564151084; cv=none; d=google.com; s=arc-20160816; b=zDPD8WnM93aSBWSPDsS48vjqSCKBTc7MQbhP9mWOwefpmGMJdLcCVNGwRUod0+HoeH 9KPqdiErDkBErcnFPHgUruAZjbIcLcT2kNOr9WcvoOnYpwmRxUXlsMcMbkTLXkTKARcW X5VFNoRuRJtfY5Jo0lL0zkn0bQEzRudUFo7hdTjh5s6EeryfGXPaBUm/rwtmzlATg3e4 pnw9hBsLBvBfwY4C2LGRqGwVgJdvgSLdPeCTLipOym4WYAXGZxmCBn/RY/F1bAsk6NEz nc+r3fp0rFV/Ht1t+InErFnOZi7IIp3pQkUVVNUYqHT7HO3zxNEnyqcoIMUslJVPruGC oJ6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=fKxm85jK/TZ4TOGFgYD4M37nZBaEdm5dmMfU/rp9o/o=; b=qcy3QDl6yYqoue+EW9KjnUa/Le0Z7i+JwiVEvPbVekljVjZqgV+JSqmkhBX19aKZJZ dEA0tPPtfcMaMgA5Jem0+OBq9/DToTtz92a75XGQums5HqZcbDC3ezsn939Xu75v+pkN X6t9SZDusjzpLAtoCdh4Rf3MKxvh3k99wyPxs0FjBagrK76Xj7ui9ts6c3bM3vsfkLxo 8gfrc/pxFACJExt1UAWGlte6/+LydylvRD/caRVtZsRbnOqo64UT3rfR5EwnYJWE5rRI yeAdceyYchnl3qpFr551cLuF2DfaBcO81Jv1TwemJUWfvEz20KdZ0kbpkhNT8/iQUeV5 oKzw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=tiscali.nl Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p4si3655503pgk.496.2019.07.26.07.24.29; Fri, 26 Jul 2019 07:24:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=tiscali.nl Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387443AbfGZOWY (ORCPT + 99 others); Fri, 26 Jul 2019 10:22:24 -0400 Received: from lb1-smtp-cloud9.xs4all.net ([194.109.24.22]:55109 "EHLO lb1-smtp-cloud9.xs4all.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727502AbfGZOWY (ORCPT ); Fri, 26 Jul 2019 10:22:24 -0400 Received: from xps13 ([83.160.161.190]) by smtp-cloud9.xs4all.net with ESMTPSA id r16whKvVQAffAr16zhYGlX; Fri, 26 Jul 2019 16:22:21 +0200 Message-ID: <1876196a0e7fc665f0f50d5e9c0e2641f713e089.camel@tiscali.nl> Subject: Re: [PATCH] isdn/gigaset: check endpoint null in gigaset_probe From: Paul Bolle To: Phong Tran , isdn@linux-pingi.de, gregkh@linuxfoundation.org Cc: gigaset307x-common@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com Date: Fri, 26 Jul 2019 16:22:18 +0200 In-Reply-To: <20190726133528.11063-1-tranmanphong@gmail.com> References: <20190726133528.11063-1-tranmanphong@gmail.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.32.4 (3.32.4-1.fc30) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfFJtsA4bTDd5shYb0nHuFZYTI15MEGFgAWw8jsSPvPGvE0A8aew2qYUZToVNF69Zx9q7S/ETRWYGMQcZvIYd2UvKlgrXNZWzR+8/xc90O4NF+w9CE52s DV7omZgcXu3jwABtrM17VrnK3vWE46IU5zqsvpgu/P1NX5qeREMX3B1s/9tgwHcPqk7znM+mxwHSGSiD4ZoGrwSQ8VmsRsT/eRIwLPDbRGwL25vKX825bQt6 qC8+74pGcQvytoBRVcM1oIYzPp3DFBZcUXFoNCja0+WxntwXoH7cZJUrTS54EfIqT9ksPG55rLvzG5EZDJ9wW14gsfnmcVhbhzYUOlFR98DwIWrsiOjLkFeS Od0JUnNt1VnCZti3RlidmEsflh0ZPzl613qThvFYFnA9TXFgYPWPHjd9ZRcSTvIIkM4rsbLLk0Df8MSMPE2gXIl4QMqtiZLGEAvOWj+sQtDflRTOEjI+NN/D IcBpkByBmDoZ6XDBDLQ1qjsUuthKsQ17nJruug== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Phong Tran schreef op vr 26-07-2019 om 20:35 [+0700]: > This fixed the potential reference NULL pointer while using variable > endpoint. > > Reported-by: syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com > Tested by syzbot: > https://groups.google.com/d/msg/syzkaller-bugs/wnHG8eRNWEA/Qn2HhjNdBgAJ > > Signed-off-by: Phong Tran > --- > drivers/isdn/gigaset/usb-gigaset.c | 9 +++++++++ This is now drivers/staging/isdn/gigaset/usb-gigaset.c. > 1 file changed, 9 insertions(+) > > diff --git a/drivers/isdn/gigaset/usb-gigaset.c b/drivers/isdn/gigaset/usb-gigaset.c > index 1b9b43659bdf..2e011f3db59e 100644 > --- a/drivers/isdn/gigaset/usb-gigaset.c > +++ b/drivers/isdn/gigaset/usb-gigaset.c > @@ -703,6 +703,10 @@ static int gigaset_probe(struct usb_interface *interface, > usb_set_intfdata(interface, cs); > > endpoint = &hostif->endpoint[0].desc; > + if (!endpoint) { > + dev_err(cs->dev, "Couldn't get control endpoint\n"); > + return -ENODEV; > + } When can this happen? Is this one of those bugs that one can only trigger with a specially crafted (evil) usb device? > buffer_size = le16_to_cpu(endpoint->wMaxPacketSize); > ucs->bulk_out_size = buffer_size; > @@ -722,6 +726,11 @@ static int gigaset_probe(struct usb_interface *interface, > } > > endpoint = &hostif->endpoint[1].desc; > + if (!endpoint) { > + dev_err(cs->dev, "Endpoint not available\n"); > + retval = -ENODEV; > + goto error; > + } > > ucs->busy = 0; > Please note that I'm very close to getting cut off from the ISDN network, so the chances of being able to testi this on a live system are getting small. Thanks, Paul Bolle