From patchwork Fri Jan 3 16:35:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11317041 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 121C5138C for ; Fri, 3 Jan 2020 16:36:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E47A0206E6 for ; Fri, 3 Jan 2020 16:36:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578069363; bh=kjrgtrC2p5Ze8muSZDjMpTFZ6AR3yll5W1vZFaxFI9E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=dwYMpZF9L9LdxXhrcFBUuvUsmNaVZoH073amHkYjmgdAQ7eSK3CUnoYpW+FrbFKsD Uvd6l+teLsC7fJbyEJKo4QyU/ezqEftzdl8BWU/PHamKJZL27G/0iimrKT0m/jE9Qo ooai5sPPFlbRm6FtpKPKQEAs66jfdatpODqVJWCg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728066AbgACQff (ORCPT ); Fri, 3 Jan 2020 11:35:35 -0500 Received: from mail-lf1-f65.google.com ([209.85.167.65]:36873 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727980AbgACQfe (ORCPT ); Fri, 3 Jan 2020 11:35:34 -0500 Received: by mail-lf1-f65.google.com with SMTP id b15so32230161lfc.4; Fri, 03 Jan 2020 08:35:32 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=t2rl7ZcqsXYCGxJFsJJzURnWZhFxN2ZAlltA2Ev3mU0=; b=AmWBVvo5Xq/2tBHD+L2G9q7NB990zlGpdF0heX3OEKuI6aiLDMh2z2JVI/L0nEMVK3 KkrK/6ySm9rfgvHtkwERWvbJ7bztIXXVYG7mkv6mTiS7Up4BYptrAzAdkCefsF9I3q8Y to+5oQDwJKSYBimKztPlEFR7pKz6qcas6gpqtnw013FHeTptkMOvCQNjUhQ5v3T2YM69 85i0pPBoVoOK7Bt8BXCty33Ue9Rp1GihxumDiGaAsdpGkN3sAZQnDjaLIJGPcp8gA61q VIWw8bdaqs5w4L9szqA+lzq4k6dMhjLtbK/yA1TCYflM0BOFvC/nYjF9GXjNpSbkpqL6 p0ZA== X-Gm-Message-State: APjAAAUZ5uCbLx/Uu2lNKU8jLWQli+AFzCHEtn28xTZkvc0enyV2Zuoo zwwo2NVH0sgOv1qSkuqC4CXCxYPA X-Google-Smtp-Source: APXvYqwfQMiwtQBYqyr/l2m2RgF1Ki6vgIfhw+bV7PYO3ca3nP4scEMNOH8ETfGDb0vV1FuNaILXpw== X-Received: by 2002:ac2:5147:: with SMTP id q7mr50425117lfd.87.1578069332135; Fri, 03 Jan 2020 08:35:32 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id d20sm24857445lfm.32.2020.01.03.08.35.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Jan 2020 08:35:30 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1inPvB-0000Kj-3W; Fri, 03 Jan 2020 17:35:33 +0100 From: Johan Hovold To: Mauro Carvalho Chehab Cc: Sean Young , Hans Verkuil , linux-media@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , Oliver Neukum , stable Subject: [PATCH 1/6] media: flexcop-usb: fix endpoint sanity check Date: Fri, 3 Jan 2020 17:35:08 +0100 Message-Id: <20200103163513.1229-2-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200103163513.1229-1-johan@kernel.org> References: <20200103163513.1229-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org A recent commit added an endpoint sanity check to address a NULL-pointer dereference on probe. Unfortunately the check was done on the current altsetting which was later changed. Fix this by moving the sanity check to after the altsetting is changed. Fixes: 1b976fc6d684 ("media: b2c2-flexcop-usb: add sanity checking") Cc: Oliver Neukum Cc: stable Signed-off-by: Johan Hovold --- drivers/media/usb/b2c2/flexcop-usb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c index 039963a7765b..198ddfb8d2b1 100644 --- a/drivers/media/usb/b2c2/flexcop-usb.c +++ b/drivers/media/usb/b2c2/flexcop-usb.c @@ -511,6 +511,9 @@ static int flexcop_usb_init(struct flexcop_usb *fc_usb) return ret; } + if (fc_usb->uintf->cur_altsetting->desc.bNumEndpoints < 1) + return -ENODEV; + switch (fc_usb->udev->speed) { case USB_SPEED_LOW: err("cannot handle USB speed because it is too slow."); @@ -544,9 +547,6 @@ static int flexcop_usb_probe(struct usb_interface *intf, struct flexcop_device *fc = NULL; int ret; - if (intf->cur_altsetting->desc.bNumEndpoints < 1) - return -ENODEV; - if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) { err("out of memory\n"); return -ENOMEM; From patchwork Fri Jan 3 16:35:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11317029 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0786C1395 for ; Fri, 3 Jan 2020 16:35:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DC457222C3 for ; Fri, 3 Jan 2020 16:35:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578069352; bh=qi2vtcJ1NohHCZGnuOHTQ56B1+deOvxq4b7kiG7enfc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=j0IlOSffNexDWLoU0pQC2fZCI5t8aWIUcZ3ns/mnRkkJuk8cMRReIPKB+g0hwmSrt 8O+1VrBNJ0o78I9S5EdyY9g6PHluL2Iwixy9zIK9fHvHPu+M+zr5/jwuwbYwF7BpGH LvcIiqNI5YSuVdCRQZuPyNQcWZHGoE0OJVs+0gEs= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728097AbgACQfi (ORCPT ); Fri, 3 Jan 2020 11:35:38 -0500 Received: from mail-lj1-f193.google.com ([209.85.208.193]:45524 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728064AbgACQfh (ORCPT ); Fri, 3 Jan 2020 11:35:37 -0500 Received: by mail-lj1-f193.google.com with SMTP id j26so44403262ljc.12; Fri, 03 Jan 2020 08:35:35 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fvUvyPauFgb0gSD0dBGAKRr2laNeAtuutqe4RwswNwo=; b=HNkvjSfytuTs2BsFxEvBmoTJbcNYqlO1KkHDd0GLJa1b9Th60vzPBrEKocrypaPFX8 5awHdLZ5FlRU1rr+lyV1tA1HTgwXu8etVZneBbcoxsORI/1QdKxiKqiOLPK0QIZsOtQe WlNzOnSGwUz7i4X/O+ywARE26ke9sxqyHpptdqPHdk/YAB87s0ofD34k7YVBX/iL7+Nb 56AvxYU/TOvtGiXxpB5LinrLY8vNqFD9G3pPETFFh4i+RkjryIjSJr9CSonlZQsffQPY 1+F3e241z1GWaPt/vViKGFrgiYRanmwfqkiDpyutfNUAoRRsGn1sJ0a6WAmCui3sWrPs Iadw== X-Gm-Message-State: APjAAAUqqNpsJJd5SVon3svXFAEIMMTNwhFNNj3tFZt8BIhU47LKqSKP g4l/fns1ei/vJeQpkrKWXMM= X-Google-Smtp-Source: APXvYqw7CC0QU8Touq6DWulQjWAKvYvfvYb2oEEcSrTqdjfy566G+5e/mN2WX3nEvGCEmfRtDY0bTw== X-Received: by 2002:a2e:9592:: with SMTP id w18mr52088640ljh.98.1578069334478; Fri, 03 Jan 2020 08:35:34 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id r21sm24849749ljn.64.2020.01.03.08.35.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Jan 2020 08:35:32 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1inPvB-0000Kp-6W; Fri, 03 Jan 2020 17:35:33 +0100 From: Johan Hovold To: Mauro Carvalho Chehab Cc: Sean Young , Hans Verkuil , linux-media@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Hans de Goede Subject: [PATCH 2/6] media: ov519: add missing endpoint sanity checks Date: Fri, 3 Jan 2020 17:35:09 +0100 Message-Id: <20200103163513.1229-3-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200103163513.1229-1-johan@kernel.org> References: <20200103163513.1229-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Make sure to check that we have at least one endpoint before accessing the endpoint array to avoid dereferencing a NULL-pointer on stream start. Note that these sanity checks are not redundant as the driver is mixing looking up altsettings by index and by number, which need not coincide. Fixes: 1876bb923c98 ("V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge") Fixes: b282d87332f5 ("V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)") Cc: stable # 2.6.31 Cc: Hans de Goede Signed-off-by: Johan Hovold --- drivers/media/usb/gspca/ov519.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/media/usb/gspca/ov519.c b/drivers/media/usb/gspca/ov519.c index f417dfc0b872..0afe70a3f9a2 100644 --- a/drivers/media/usb/gspca/ov519.c +++ b/drivers/media/usb/gspca/ov519.c @@ -3477,6 +3477,11 @@ static void ov511_mode_init_regs(struct sd *sd) return; } + if (alt->desc.bNumEndpoints < 1) { + sd->gspca_dev.usb_err = -ENODEV; + return; + } + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); reg_w(sd, R51x_FIFO_PSIZE, packet_size >> 5); @@ -3603,6 +3608,11 @@ static void ov518_mode_init_regs(struct sd *sd) return; } + if (alt->desc.bNumEndpoints < 1) { + sd->gspca_dev.usb_err = -ENODEV; + return; + } + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); ov518_reg_w32(sd, R51x_FIFO_PSIZE, packet_size & ~7, 2); From patchwork Fri Jan 3 16:35:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11317037 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 27B711395 for ; Fri, 3 Jan 2020 16:36:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 06D56222C3 for ; Fri, 3 Jan 2020 16:36:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578069361; bh=9IxaneBXBz//cqI9ucpOav97oG/Yx4zZ9kzLoz22MFg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=nh2r58gON2LxEJ8B5wljf0z+y/Hobc6VawHRpVdMMNKY/tthEbZiS0sc2lGGnJnnk 0zL0ZKRbPhkGvqRlqvENiUua/o8m/Ab1TVlJ26Q7/fVvz8UyiZ9kVJjb/fK2IvNqk7 qLsHfpc3mPob6xQSL1u63xAVWoXcPshDEJkjmlYU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728079AbgACQfg (ORCPT ); Fri, 3 Jan 2020 11:35:36 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:45707 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728036AbgACQfe (ORCPT ); Fri, 3 Jan 2020 11:35:34 -0500 Received: by mail-lf1-f66.google.com with SMTP id 203so32158587lfa.12; Fri, 03 Jan 2020 08:35:33 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=XMpeSMQqCmVMBjs6tekc+S1FNP6LOEYLPDRMzZL0Udw=; b=YI+M4AVbCcye0GMaWkhFa0GymmOkGJVJ5lquQDxd9uHVbIzEBTH5kvzfWTEKcN3hFc dMxCcMts/qc1JlMfPn0+cWnxbYUDop9sfNvSYLoI/MpgIbcDRP8cwZOe5uQEbyJTjJ5b tb+Cf3AR+2dZmLjU5gzELHLmvV7jsV9tBL2VA3ShVwD9IsL4MRiI62X0LZkNNY0oxUgt rfgcLYkfYcEUEFQgAdkIplB/apq4GAHskZLMeH1otSE1P3Is4cUJYvE443zrxYG9CNYs QSg83Lau34D58lDNZOTYsTkFJAS6s510nwpz/9MIk1A9Rmx0ZFkg/1OOWUGwVqbn0GhK Th6Q== X-Gm-Message-State: APjAAAUT5XjyBQHyw+W1/zdRvKd3gxb8H3rFSvfAUA/uQLBzoyUB/gLC 8jdu7HDDRI3Zblef0sSB+ukluify X-Google-Smtp-Source: APXvYqxpfJSvhuzuLgdXVlOKI4W1C/fxw3JnLN40r/V/o5hgJeYKUVXNqXgr/k46Kj/hvbpO/OwA/w== X-Received: by 2002:ac2:508e:: with SMTP id f14mr46728621lfm.72.1578069332612; Fri, 03 Jan 2020 08:35:32 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id w19sm24845957lfl.55.2020.01.03.08.35.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Jan 2020 08:35:31 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1inPvB-0000Ku-9l; Fri, 03 Jan 2020 17:35:33 +0100 From: Johan Hovold To: Mauro Carvalho Chehab Cc: Sean Young , Hans Verkuil , linux-media@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Hans de Goede Subject: [PATCH 3/6] media: stv06xx: add missing descriptor sanity checks Date: Fri, 3 Jan 2020 17:35:10 +0100 Message-Id: <20200103163513.1229-4-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200103163513.1229-1-johan@kernel.org> References: <20200103163513.1229-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Make sure to check that we have two alternate settings and at least one endpoint before accessing the second altsetting structure and dereferencing the endpoint arrays. This specifically avoids dereferencing NULL-pointers or corrupting memory when a device does not have the expected descriptors. Note that the sanity checks in stv06xx_start() and pb0100_start() are not redundant as the driver is mixing looking up altsettings by index and by number, which may not coincide. Fixes: 8668d504d72c ("V4L/DVB (12082): gspca_stv06xx: Add support for st6422 bridge and sensor") Fixes: c0b33bdc5b8d ("[media] gspca-stv06xx: support bandwidth changing") Cc: stable # 2.6.31 Cc: Hans de Goede Signed-off-by: Johan Hovold --- drivers/media/usb/gspca/stv06xx/stv06xx.c | 19 ++++++++++++++++++- .../media/usb/gspca/stv06xx/stv06xx_pb0100.c | 4 ++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx.c b/drivers/media/usb/gspca/stv06xx/stv06xx.c index 79653d409951..95673fc0a99c 100644 --- a/drivers/media/usb/gspca/stv06xx/stv06xx.c +++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c @@ -282,6 +282,9 @@ static int stv06xx_start(struct gspca_dev *gspca_dev) return -EIO; } + if (alt->desc.bNumEndpoints < 1) + return -ENODEV; + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size); if (err < 0) @@ -306,11 +309,21 @@ static int stv06xx_start(struct gspca_dev *gspca_dev) static int stv06xx_isoc_init(struct gspca_dev *gspca_dev) { + struct usb_interface_cache *intfc; struct usb_host_interface *alt; struct sd *sd = (struct sd *) gspca_dev; + intfc = gspca_dev->dev->actconfig->intf_cache[0]; + + if (intfc->num_altsetting < 2) + return -ENODEV; + + alt = &intfc->altsetting[1]; + + if (alt->desc.bNumEndpoints < 1) + return -ENODEV; + /* Start isoc bandwidth "negotiation" at max isoc bandwidth */ - alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]); @@ -323,6 +336,10 @@ static int stv06xx_isoc_nego(struct gspca_dev *gspca_dev) struct usb_host_interface *alt; struct sd *sd = (struct sd *) gspca_dev; + /* + * Existence of altsetting and endpoint was verified in + * stv06xx_isoc_init() + */ alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode]; diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c b/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c index 6d1007715ff7..ae382b3b5f7f 100644 --- a/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c +++ b/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c @@ -185,6 +185,10 @@ static int pb0100_start(struct sd *sd) alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt); if (!alt) return -ENODEV; + + if (alt->desc.bNumEndpoints < 1) + return -ENODEV; + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); /* If we don't have enough bandwidth use a lower framerate */ From patchwork Fri Jan 3 16:35:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11317035 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 89EB8138C for ; Fri, 3 Jan 2020 16:35:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 68A24206E6 for ; Fri, 3 Jan 2020 16:35:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578069359; bh=tXEYp3rsknBT4lY/sIr/UR4oa/ChTHaOLmC/7e7QlNU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=U2MrXgFa8/j3YmnyTShVj8Sbo2sAn2a3tqXAedzXjhxWlTYZEnHKnozXFED8Bddhe /8RkUSTsBQU6QcOCTVDN342QrO7z60UTy/1mjpOJGWZnCxrUjFZi9AY1mgLpwp7cmw 9Rdf1tVNvehokDY0cN/0zc92WWu6vpMQ3Osvfx4c= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728152AbgACQfz (ORCPT ); Fri, 3 Jan 2020 11:35:55 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:46601 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728037AbgACQfg (ORCPT ); Fri, 3 Jan 2020 11:35:36 -0500 Received: by mail-lj1-f195.google.com with SMTP id m26so41970604ljc.13; Fri, 03 Jan 2020 08:35:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=wOGJDK9VxSi0BWGjIljSq4Feb+Qmi92twu6Ha+tsjbE=; b=cnVUvsvXf783t5+2W62Fg2E7o4YGU3E0lvBkN+xPaXe2wPLCzyi01iygyLxI9N0Y5p CiKREjOEAY9hRPGYxvF9ihI9y3vtSKhXqr16B00Lpv4U+N8hTH94K7X4hDDTs4zlzlAy aEVhNYjqya7kBwy8MhFKmO+G+UFmF9GaX44ogVtqri8JkoGWZkXNdirrhcEFP/su9Eol NDdLeieM33Iez2bg/FRRM9xt5axFHEummOmIhhH1Wg53NAdjXFO8pFZirpWkk2nDgAdO u6FMmnPDer2tOxHZLTidLo+2ecNncyRblcowiFKrCwb8P0OLbHDU+3Mu1g90SDYU+a40 xytw== X-Gm-Message-State: APjAAAXnXhEzANHbeXpfFCX8MzuxA9FRmF4gelMGpKUmT6XGtxNWzGen xh5pG6ctF+PXap8oGbKeLE8= X-Google-Smtp-Source: APXvYqyatX6mOcKLHVud6xipKNRdmBsg36UpiSC6YsOJEh3KwyNzesOFwI+O4Bmvtdt2PcidB4wVmg== X-Received: by 2002:a2e:7816:: with SMTP id t22mr53001895ljc.161.1578069333139; Fri, 03 Jan 2020 08:35:33 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id u17sm15855057ljk.62.2020.01.03.08.35.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Jan 2020 08:35:32 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1inPvB-0000Kz-D3; Fri, 03 Jan 2020 17:35:33 +0100 From: Johan Hovold To: Mauro Carvalho Chehab Cc: Sean Young , Hans Verkuil , linux-media@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Hans de Goede Subject: [PATCH 4/6] media: xirlink_cit: add missing descriptor sanity checks Date: Fri, 3 Jan 2020 17:35:11 +0100 Message-Id: <20200103163513.1229-5-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200103163513.1229-1-johan@kernel.org> References: <20200103163513.1229-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Make sure to check that we have two alternate settings and at least one endpoint before accessing the second altsetting structure and dereferencing the endpoint arrays. This specifically avoids dereferencing NULL-pointers or corrupting memory when a device does not have the expected descriptors. Note that the sanity check in cit_get_packet_size() is not redundant as the driver is mixing looking up altsettings by index and by number, which may not coincide. Fixes: 659fefa0eb17 ("V4L/DVB: gspca_xirlink_cit: Add support for camera with a bcd version of 0.01") Fixes: 59f8b0bf3c12 ("V4L/DVB: gspca_xirlink_cit: support bandwidth changing for devices with 1 alt setting") Cc: stable # 2.6.37 Cc: Hans de Goede Signed-off-by: Johan Hovold --- drivers/media/usb/gspca/xirlink_cit.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/gspca/xirlink_cit.c b/drivers/media/usb/gspca/xirlink_cit.c index 934a90bd78c2..c579b100f066 100644 --- a/drivers/media/usb/gspca/xirlink_cit.c +++ b/drivers/media/usb/gspca/xirlink_cit.c @@ -1442,6 +1442,9 @@ static int cit_get_packet_size(struct gspca_dev *gspca_dev) return -EIO; } + if (alt->desc.bNumEndpoints < 1) + return -ENODEV; + return le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); } @@ -2626,6 +2629,7 @@ static int sd_start(struct gspca_dev *gspca_dev) static int sd_isoc_init(struct gspca_dev *gspca_dev) { + struct usb_interface_cache *intfc; struct usb_host_interface *alt; int max_packet_size; @@ -2641,8 +2645,17 @@ static int sd_isoc_init(struct gspca_dev *gspca_dev) break; } + intfc = gspca_dev->dev->actconfig->intf_cache[0]; + + if (intfc->num_altsetting < 2) + return -ENODEV; + + alt = &intfc->altsetting[1]; + + if (alt->desc.bNumEndpoints < 1) + return -ENODEV; + /* Start isoc bandwidth "negotiation" at max isoc bandwidth */ - alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(max_packet_size); return 0; @@ -2665,6 +2678,9 @@ static int sd_isoc_nego(struct gspca_dev *gspca_dev) break; } + /* + * Existence of altsetting and endpoint was verified in sd_isoc_init() + */ alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); if (packet_size <= min_packet_size) From patchwork Fri Jan 3 16:35:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11317045 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 544FE1395 for ; Fri, 3 Jan 2020 16:36:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 337BB227BF for ; Fri, 3 Jan 2020 16:36:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578069369; bh=6tmWngJho+6nvSioNSpEVxS7yF/xEHxBUuDKi0b0X9A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=HJGtaPoGXVljzt7nkphWQDl/PmeUzatwPYmSV1aneiLnNAt8YFtbC2oXzZ4Nx0xCq plicXCMV5S7vynh9tGGSEANXLkZQ9Sa1gDHPHFh3RLlrpxamzK3hG02w3f32kiwrIc y+ZyLj4Da5SXTTvJ+yLQ0NUQLkKBtkIc0w4h8Wog= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728172AbgACQgC (ORCPT ); Fri, 3 Jan 2020 11:36:02 -0500 Received: from mail-lj1-f196.google.com ([209.85.208.196]:37003 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728040AbgACQff (ORCPT ); Fri, 3 Jan 2020 11:35:35 -0500 Received: by mail-lj1-f196.google.com with SMTP id o13so33001084ljg.4; Fri, 03 Jan 2020 08:35:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+tlqOZeymQPSzMRwJcWO6YbRSpeG6g0qeksDnmBdU10=; b=BazQZLFwOzVOPB0VwBVnhNRyeWeWGjqREEXs3llMKwYOeEXpkM3tVqZyT0/uoRPAXZ AMKQAoSCJaN5P7pF+VaGE5PA/tWv4ANx04bkrQpYbF1c6aTzKZlsLxrgzJEfQKOg/F0H eavjvabmBdBXR9fltugjvoGyBbeMLFcsbTxcxQJaTvot5eVWGlrme8gjLbUNfOqTGBCl adtFem8UAThZY+omHYBSNzO8PIYYegf16Ql35sHIRKoGU7oUHIP2rYskl0y2zgKJO5Wu THVkyagqzSeeeu2b9vXJMKK3D9RMigj61CUMNgh3X9gtryIFQXwb7rTnxvafTVMjgWWJ PyJw== X-Gm-Message-State: APjAAAVI9PuztnpjnsrbfR24A4Y3/oJIVvAps4dxNRKoAuU0yy4Lszqu Q+oVPYti98UzCGkzfwD6HWg= X-Google-Smtp-Source: APXvYqwYSsLJyZGoPLjR6puxlsXnmFozkkoUW6uBboL+dGzIHZp3/IWNSbX0v5RXpEQ36TA9fZ4bOg== X-Received: by 2002:a2e:8603:: with SMTP id a3mr43840365lji.210.1578069333597; Fri, 03 Jan 2020 08:35:33 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id l5sm23959515lje.1.2020.01.03.08.35.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Jan 2020 08:35:32 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1inPvB-0000L3-FV; Fri, 03 Jan 2020 17:35:33 +0100 From: Johan Hovold To: Mauro Carvalho Chehab Cc: Sean Young , Hans Verkuil , linux-media@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable Subject: [PATCH 5/6] media: dib0700: fix rc endpoint lookup Date: Fri, 3 Jan 2020 17:35:12 +0100 Message-Id: <20200103163513.1229-6-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200103163513.1229-1-johan@kernel.org> References: <20200103163513.1229-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Make sure to use the current alternate setting when verifying the interface descriptors to avoid submitting an URB to an invalid endpoint. Failing to do so could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge Nova-TD") Cc: stable # 3.16 Signed-off-by: Johan Hovold --- drivers/media/usb/dvb-usb/dib0700_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/dvb-usb/dib0700_core.c b/drivers/media/usb/dvb-usb/dib0700_core.c index e53c58ab6488..ef62dd6c5ae4 100644 --- a/drivers/media/usb/dvb-usb/dib0700_core.c +++ b/drivers/media/usb/dvb-usb/dib0700_core.c @@ -818,7 +818,7 @@ int dib0700_rc_setup(struct dvb_usb_device *d, struct usb_interface *intf) /* Starting in firmware 1.20, the RC info is provided on a bulk pipe */ - if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1) + if (intf->cur_altsetting->desc.bNumEndpoints < rc_ep + 1) return -ENODEV; purb = usb_alloc_urb(0, GFP_KERNEL); @@ -838,7 +838,7 @@ int dib0700_rc_setup(struct dvb_usb_device *d, struct usb_interface *intf) * Some devices like the Hauppauge NovaTD model 52009 use an interrupt * endpoint, while others use a bulk one. */ - e = &intf->altsetting[0].endpoint[rc_ep].desc; + e = &intf->cur_altsetting->endpoint[rc_ep].desc; if (usb_endpoint_dir_in(e)) { if (usb_endpoint_xfer_bulk(e)) { pipe = usb_rcvbulkpipe(d->udev, rc_ep); From patchwork Fri Jan 3 16:35:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11317027 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 597DE138C for ; Fri, 3 Jan 2020 16:35:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3876924649 for ; Fri, 3 Jan 2020 16:35:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578069351; bh=ETbkCgko7YvwV8aXW1fb985nhPP4nAfkmHHQEr2bmVo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=aBfqOyFY+NsUVwkDb4yG/uZ+s/3B01kp2y/scPKxYdC3QYNGBkG4ejY0gBzNOzJCw JWpoDz51/Zwm0pa4ThHvtwfTFPXexyeRhMDTwZ7U4GCIUxS+2w1yh5dJieXhACJDn+ jOeLmsCSvTE99aKHqBQuohqTcO0SmIXjVfWSUtig= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728104AbgACQfi (ORCPT ); Fri, 3 Jan 2020 11:35:38 -0500 Received: from mail-lf1-f68.google.com ([209.85.167.68]:38845 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728055AbgACQfg (ORCPT ); Fri, 3 Jan 2020 11:35:36 -0500 Received: by mail-lf1-f68.google.com with SMTP id r14so32248502lfm.5; Fri, 03 Jan 2020 08:35:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=yRobfE6xRLcH/BMrCZ1ufq6OfrLdys2sHxbYvtXbY8w=; b=ixnV3N8mBZVm9aprcKYH14/u5wS/Cr5zYvo3+Syf7Pq9wm5OUPRKVReBDWVsysv4+C GSunZdMTi3RB3HWrMr5LM2ECTGJ2sibmwdHZRjT5ttj8hkwM9ae8C+WnFggKYlYd9/Kb wJb7ivB+e3EfMWSKepVihxGVqTqHCrtbQymT3xil0ukRMEPMZNnXiXQRfOfl4sv84gur 56KVl6WbRhcEiib1jOEexskLmVsPRd6Lenthp5/CcJmx0unXME2PbOQILVNQlVAvjwrB 1G6EsBDtEpFUO0WVc1PkJlpEueCQoZS5NiklLk9DaAN7Dvd+iKwV3OKOKbtT/iGpWVV/ KvNg== X-Gm-Message-State: APjAAAV3ytZ5egOtY8/toT969OTfITrL1oY3SIShHyE5b3RtSdg4d0Zo OHl4cYuus1w0BaOF3GyOeUQ= X-Google-Smtp-Source: APXvYqypOUHVanulprdiAK+EPxzBW+QhenaycGs2XscchwDWnOA7oZW9x6RVYZfBJIRjw20paazI0A== X-Received: by 2002:a19:cb46:: with SMTP id b67mr51127985lfg.40.1578069333965; Fri, 03 Jan 2020 08:35:33 -0800 (PST) Received: from xi.terra (c-14b8e655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.184.20]) by smtp.gmail.com with ESMTPSA id h10sm24630541ljc.39.2020.01.03.08.35.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Jan 2020 08:35:32 -0800 (PST) Received: from johan by xi.terra with local (Exim 4.92.3) (envelope-from ) id 1inPvB-0000L9-Ib; Fri, 03 Jan 2020 17:35:33 +0100 From: Johan Hovold To: Mauro Carvalho Chehab Cc: Sean Young , Hans Verkuil , linux-media@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable , Oliver Neukum Subject: [PATCH 6/6] media: iguanair: fix endpoint sanity check Date: Fri, 3 Jan 2020 17:35:13 +0100 Message-Id: <20200103163513.1229-7-johan@kernel.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200103163513.1229-1-johan@kernel.org> References: <20200103163513.1229-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Make sure to use the current alternate setting, which need not be the first one by index, when verifying the endpoint descriptors and initialising the URBs. Failing to do so could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 26ff63137c45 ("[media] Add support for the IguanaWorks USB IR Transceiver") Fixes: ab1cbdf159be ("media: iguanair: add sanity checks") Cc: stable # 3.6 Cc: Sean Young Cc: Oliver Neukum Signed-off-by: Johan Hovold --- drivers/media/rc/iguanair.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c index 872d6441e512..a7deca1fefb7 100644 --- a/drivers/media/rc/iguanair.c +++ b/drivers/media/rc/iguanair.c @@ -413,7 +413,7 @@ static int iguanair_probe(struct usb_interface *intf, int ret, pipein, pipeout; struct usb_host_interface *idesc; - idesc = intf->altsetting; + idesc = intf->cur_altsetting; if (idesc->desc.bNumEndpoints < 2) return -ENODEV;