From patchwork Wed Jun 29 05:55:51 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cameron Gutman <aicommander@gmail.com>
X-Patchwork-Id: 9204337
Return-Path: <linux-input-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D71156075F for <patchwork-linux-input@patchwork.kernel.org>;
	Wed, 29 Jun 2016 05:57:12 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C61E02863C
	for <patchwork-linux-input@patchwork.kernel.org>;
	Wed, 29 Jun 2016 05:57:12 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BAE6428641; Wed, 29 Jun 2016 05:57:12 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C4442863C
	for <patchwork-linux-input@patchwork.kernel.org>;
	Wed, 29 Jun 2016 05:57:12 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751043AbcF2F5K (ORCPT
	<rfc822;patchwork-linux-input@patchwork.kernel.org>);
	Wed, 29 Jun 2016 01:57:10 -0400
Received: from mail-pf0-f195.google.com ([209.85.192.195]:34122 "EHLO
	mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751020AbcF2F5J (ORCPT
	<rfc822;linux-input@vger.kernel.org>);
	Wed, 29 Jun 2016 01:57:09 -0400
Received: by mail-pf0-f195.google.com with SMTP id 66so3655042pfy.1
	for <linux-input@vger.kernel.org>;
	Tue, 28 Jun 2016 22:55:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=to:from:subject:message-id:date:user-agent:mime-version
	:content-transfer-encoding;
	bh=CesbfmbgWGKN4kRBKr0qBPCE3D1GRmZa6WgQcoh0gqg=;
	b=EGIH7AQtWahBRfK+cGLGkUX4SNWY8gziHhRE+bcsEZEggW7UnS3ti7ATSABaKltCc6
	LDXT/mLl1VRKfDmEwqoh/rUQ0Fzl+3AbWw18jKE/YkaKkrfyOP2RdUJl8G2nDRgKPido
	wYyAX5heJpUHdd9rigIiMwr5BViuCM1tCvWY+p1wXup/DjZsgfD0tBwuYEc1mr9uGpsk
	jbvBUGjpVysEwpHHl54ubm7sZLgMEKxitkOzot4u5CQAQKwryQJOLbTACGggSMfN5hvH
	BZE9M61Cy2EHUMgDLDpfvb9Zxb6DCzrlLPMfEl7CVpSd3V3MQP5NIg6ePxEIjdXVTv7Q
	U+1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:to:from:subject:message-id:date:user-agent
	:mime-version:content-transfer-encoding;
	bh=CesbfmbgWGKN4kRBKr0qBPCE3D1GRmZa6WgQcoh0gqg=;
	b=bPNMXSZsqGDytnMJgigRz591zdF/yxJE4sZAYJz7qbnCBgSr6oGZ7BH5aNeVaejdgn
	Z6I1EX+PMwnGvAEqcWCbL+/qfHHKfHHKZAntzMGsFZacnNmFwxkrYXARMYSuY/dppt8T
	tWOtKbKDvRJLZo9OKCExuDVSFVhn+oV1+B3j0g9RrjlzNxyxoR81xehveRS38erBGTt7
	70EyznnZ7WKCdwhSHckC0bzzFfzV9qED/x2+tyYLp2R17dX20Xr9bdVUWREcWBSO/Jef
	4o3+4JwWPMdInKGc43/FVgCkEwy5Ndmv3MBcHndZkxFXrNDJba8yHCYlDu+h026Nj0nR
	ESZw==
X-Gm-Message-State: 
 ALyK8tJEgbcXrffvhVw8f10r2KMH/jzmGvD2oSr/Krh6LJA+jygMrr04pVNIuIgSWg4wCw==
X-Received: by 10.98.69.81 with SMTP id s78mr8353347pfa.63.1467179753051;
	Tue, 28 Jun 2016 22:55:53 -0700 (PDT)
Received: from ?IPv6:2601:600:9000:7c87:ed2f:423b:24a6:576e?
	([2601:600:9000:7c87:ed2f:423b:24a6:576e])
	by smtp.gmail.com with ESMTPSA id
	h66sm2327105pfe.6.2016.06.28.22.55.52
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 28 Jun 2016 22:55:52 -0700 (PDT)
To: linux-input <linux-input@vger.kernel.org>,
	Dmitry Torokhov <dmitry.torokhov@gmail.com>
From: Cameron Gutman <aicommander@gmail.com>
Subject: [PATCH] Input: xpad - validate USB endpoint count during probe
Message-ID: <577362E7.2000508@gmail.com>
Date: Wed, 29 Jun 2016 00:55:51 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.8.0
MIME-Version: 1.0
Sender: linux-input-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-input.vger.kernel.org>
X-Mailing-List: linux-input@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

This prevents a malicious USB device from causing an oops.

Signed-off-by: Cameron Gutman <aicommander@gmail.com>
Cc: stable@vger.kernel.org
---
 drivers/input/joystick/xpad.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index 3438e98..a529a45 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1431,6 +1431,9 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
 	int ep_irq_in_idx;
 	int i, error;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints != 2)
+		return -ENODEV;
+
 	for (i = 0; xpad_device[i].idVendor; i++) {
 		if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
 		    (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))