summaryrefslogtreecommitdiffstats
path: root/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
diff options
context:
space:
mode:
Diffstat (limited to 'USB-input-powermate-fix-oops-with-malicious-USB-desc.patch')
-rw-r--r--USB-input-powermate-fix-oops-with-malicious-USB-desc.patch38
1 files changed, 38 insertions, 0 deletions
diff --git a/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch b/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
new file mode 100644
index 000000000..7de890e1b
--- /dev/null
+++ b/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
@@ -0,0 +1,38 @@
+From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Mon, 14 Mar 2016 10:02:51 -0400
+Subject: [PATCH] USB: input: powermate: fix oops with malicious USB
+ descriptors
+
+The powermate driver expects at least one valid USB endpoint in its
+probe function. If given malicious descriptors that specify 0 for
+the number of endpoints, it will crash. Validate the number of
+endpoints on the interface before using them.
+
+The full report for this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/85
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ drivers/input/misc/powermate.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
+index 63b539d3daba..84909a12ff36 100644
+--- a/drivers/input/misc/powermate.c
++++ b/drivers/input/misc/powermate.c
+@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
+ int error = -ENOMEM;
+
+ interface = intf->cur_altsetting;
++ if (interface->desc.bNumEndpoints < 1)
++ return -EINVAL;
++
+ endpoint = &interface->endpoint[0].desc;
+ if (!usb_endpoint_is_int_in(endpoint))
+ return -EIO;
+--
+2.5.0
+
generated by cgit (git 2.34.1) at 2024-06-13 12:11:40 +0000