| Message ID | 20190504033748.17964-1-baijiaju1990@gmail.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 5bce256f0b528624a34fe907db385133bb7be33e |
| Headers | show |
| Series | usb: host: xhci_debugfs: Fix a null pointer dereference in xhci_debugfs_create_endpoint() | expand |
On Sat, May 04, 2019 at 11:37:48AM +0800, Jia-Ju Bai wrote: > In xhci_debugfs_create_slot(), kzalloc() can fail and > dev->debugfs_private will be NULL. > In xhci_debugfs_create_endpoint(), dev->debugfs_private is used without > any null-pointer check, and can cause a null pointer dereference. > > To fix this bug, a null-pointer check is added in > xhci_debugfs_create_endpoint(). > > This bug is found by a runtime fuzzing tool named FIZZER written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Very rare case, but nice fix. You should put "potential" in your subject line as this is something that no one should ever hit :) Anyway: Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
On 2019/5/4 14:33, Greg KH wrote: > On Sat, May 04, 2019 at 11:37:48AM +0800, Jia-Ju Bai wrote: >> In xhci_debugfs_create_slot(), kzalloc() can fail and >> dev->debugfs_private will be NULL. >> In xhci_debugfs_create_endpoint(), dev->debugfs_private is used without >> any null-pointer check, and can cause a null pointer dereference. >> >> To fix this bug, a null-pointer check is added in >> xhci_debugfs_create_endpoint(). >> >> This bug is found by a runtime fuzzing tool named FIZZER written by us. >> >> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> > Very rare case, but nice fix. You should put "potential" in your > subject line as this is something that no one should ever hit :) Okay, Greg, thanks for this advice :) Best wishes, Jia-Ju Bai
On 4.5.2019 10.30, Jia-Ju Bai wrote: > > > On 2019/5/4 14:33, Greg KH wrote: >> On Sat, May 04, 2019 at 11:37:48AM +0800, Jia-Ju Bai wrote: >>> In xhci_debugfs_create_slot(), kzalloc() can fail and >>> dev->debugfs_private will be NULL. >>> In xhci_debugfs_create_endpoint(), dev->debugfs_private is used without >>> any null-pointer check, and can cause a null pointer dereference. >>> >>> To fix this bug, a null-pointer check is added in >>> xhci_debugfs_create_endpoint(). >>> >>> This bug is found by a runtime fuzzing tool named FIZZER written by us. >>> >>> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> >> Very rare case, but nice fix. You should put "potential" in your >> subject line as this is something that no one should ever hit :) > > Okay, Greg, thanks for this advice :) > Adding patch to queue, and added "potential" to subject line. -Mathias
diff --git a/drivers/usb/host/xhci-debugfs.c b/drivers/usb/host/xhci-debugfs.c index cadc01336bf8..7ba6afc7ef23 100644 --- a/drivers/usb/host/xhci-debugfs.c +++ b/drivers/usb/host/xhci-debugfs.c @@ -440,6 +440,9 @@ void xhci_debugfs_create_endpoint(struct xhci_hcd *xhci, struct xhci_ep_priv *epriv; struct xhci_slot_priv *spriv = dev->debugfs_private; + if (!spriv) + return; + if (spriv->eps[ep_index]) return;
In xhci_debugfs_create_slot(), kzalloc() can fail and dev->debugfs_private will be NULL. In xhci_debugfs_create_endpoint(), dev->debugfs_private is used without any null-pointer check, and can cause a null pointer dereference. To fix this bug, a null-pointer check is added in xhci_debugfs_create_endpoint(). This bug is found by a runtime fuzzing tool named FIZZER written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- drivers/usb/host/xhci-debugfs.c | 3 +++ 1 file changed, 3 insertions(+)