iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

go7007: add sanity checking for endpoints

Browse Source 
A malicious USB device may lack endpoints the driver assumes to exist
Accessing them leads to NULL pointer accesses. This patch introduces
sanity checking.

Reported-and-tested-by: syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Fixes: 866b8695d67e8 ("Staging: add the go7007 video driver")
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
This commit is contained in:
Oliver Neukum 2020-05-05 12:50:33 +02:00 committed by Mauro Carvalho Chehab
parent ebeacb1f61
commit 137641287e
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
drivers/media/usb/go7007/go7007-usb.c
View File

@ -1132,6 +1132,10 @@ static int go7007_usb_probe(struct usb_interface *intf,
go->hpi_ops = &go7007_usb_onboard_hpi_ops; go->hpi_ops = &go7007_usb_onboard_hpi_ops;
go->hpi_context = usb; go->hpi_context = usb;
ep = usb->usbdev->ep_in[4];
if (!ep)
return -ENODEV;
/* Allocate the URB and buffer for receiving incoming interrupts */ /* Allocate the URB and buffer for receiving incoming interrupts */
usb->intr_urb = usb_alloc_urb(0, GFP_KERNEL); usb->intr_urb = usb_alloc_urb(0, GFP_KERNEL);
if (usb->intr_urb == NULL) if (usb->intr_urb == NULL)
@ -1141,7 +1145,6 @@ static int go7007_usb_probe(struct usb_interface *intf,
if (usb->intr_urb->transfer_buffer == NULL) if (usb->intr_urb->transfer_buffer == NULL)
goto allocfail; goto allocfail;
ep = usb->usbdev->ep_in[4];
if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
usb_fill_bulk_urb(usb->intr_urb, usb->usbdev, usb_fill_bulk_urb(usb->intr_urb, usb->usbdev,
usb_rcvbulkpipe(usb->usbdev, 4), usb_rcvbulkpipe(usb->usbdev, 4),
@ -1263,9 +1266,13 @@ static int go7007_usb_probe(struct usb_interface *intf,
/* Allocate the URBs and buffers for receiving the video stream */ /* Allocate the URBs and buffers for receiving the video stream */
if (board->flags & GO7007_USB_EZUSB) { if (board->flags & GO7007_USB_EZUSB) {
if (!usb->usbdev->ep_in[6])
goto allocfail;
v_urb_len = 1024; v_urb_len = 1024;
video_pipe = usb_rcvbulkpipe(usb->usbdev, 6); video_pipe = usb_rcvbulkpipe(usb->usbdev, 6);
} else { } else {
if (!usb->usbdev->ep_in[1])
goto allocfail;
v_urb_len = 512; v_urb_len = 512;
video_pipe = usb_rcvbulkpipe(usb->usbdev, 1); video_pipe = usb_rcvbulkpipe(usb->usbdev, 1);
} }
@ -1285,6 +1292,8 @@ static int go7007_usb_probe(struct usb_interface *intf,
/* Allocate the URBs and buffers for receiving the audio stream */ /* Allocate the URBs and buffers for receiving the audio stream */
if ((board->flags & GO7007_USB_EZUSB) && if ((board->flags & GO7007_USB_EZUSB) &&
(board->main_info.flags & GO7007_BOARD_HAS_AUDIO)) { (board->main_info.flags & GO7007_BOARD_HAS_AUDIO)) {
if (!usb->usbdev->ep_in[8])
goto allocfail;
for (i = 0; i < 8; ++i) { for (i = 0; i < 8; ++i) {
usb->audio_urbs[i] = usb_alloc_urb(0, GFP_KERNEL); usb->audio_urbs[i] = usb_alloc_urb(0, GFP_KERNEL);
if (usb->audio_urbs[i] == NULL) if (usb->audio_urbs[i] == NULL)