linux/drivers/usb/serial
Johan Hovold 7d7e21fafd USB: serial: keyspan: fix NULL-derefs on open() and write()
Fix NULL-pointer dereferences on open() and write() which can be
triggered by a malicious USB device.

The current URB allocation helper would fail to initialise the newly
allocated URB if the device has unexpected endpoint descriptors,
something which could lead NULL-pointer dereferences in a number of
open() and write() paths when accessing the URB. For example:

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	...
	RIP: 0010:usb_clear_halt+0x11/0xc0
	...
	Call Trace:
	 ? tty_port_open+0x4d/0xd0
	 keyspan_open+0x70/0x160 [keyspan]
	 serial_port_activate+0x5b/0x80 [usbserial]
	 tty_port_open+0x7b/0xd0
	 ? check_tty_count+0x43/0xa0
	 tty_open+0xf1/0x490

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	...
	RIP: 0010:keyspan_write+0x14e/0x1f3 [keyspan]
	...
	Call Trace:
	 serial_write+0x43/0xa0 [usbserial]
	 n_tty_write+0x1af/0x4f0
	 ? do_wait_intr_irq+0x80/0x80
	 ? process_echoes+0x60/0x60
	 tty_write+0x13f/0x2f0

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	...
	RIP: 0010:keyspan_usa26_send_setup+0x298/0x305 [keyspan]
	...
	Call Trace:
	 keyspan_open+0x10f/0x160 [keyspan]
	 serial_port_activate+0x5b/0x80 [usbserial]
	 tty_port_open+0x7b/0xd0
	 ? check_tty_count+0x43/0xa0
	 tty_open+0xf1/0x490

Fixes: fdcba53e2d ("fix for bugzilla #7544 (keyspan USB-to-serial converter)")
Cc: stable <stable@vger.kernel.org>	# 2.6.21
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2019-10-04 10:57:19 +02:00
..
aircable.c USB: serial: fix module-license macros 2017-11-04 11:58:00 +01:00
ark3116.c USB: serial: ark3116: drop redundant init_termios 2019-04-26 08:37:53 +02:00
belkin_sa.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
belkin_sa.h docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
bus.c USB: serial: use tty_port_register_device() 2018-05-17 11:22:00 +02:00
ch341.c USB: serial: ch341: fix type promotion bug in ch341_control_in() 2018-07-04 15:40:54 +02:00
console.c USB: serial: console: fix reported terminal settings 2018-12-05 11:29:10 +01:00
cp210x.c USB: serial: cp210x: add new device id 2019-03-28 08:59:49 +01:00
cyberjack.c USB: serial: cyberjack: use irqsave() in USB's complete callback 2018-06-26 14:13:53 +02:00
cypress_m8.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
cypress_m8.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
digi_acceleport.c USB: serial: digi_acceleport: clean up set_termios 2019-04-21 14:24:12 +02:00
empeg.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
ezusb_convert.pl License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
f81232.c USB: serial: f81232: implement break control 2019-05-03 09:19:55 +02:00
f81534.c USB: serial: f81534: fix reading old/new IC config 2018-11-20 18:25:44 +01:00
ftdi_sio_ids.h USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 2019-10-02 11:47:10 +02:00
ftdi_sio.c USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 2019-10-02 11:47:10 +02:00
ftdi_sio.h USB: serial: ftdi_sio: add support for FT232R CBUS gpios 2018-10-05 08:57:06 +02:00
garmin_gps.c USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
generic.c USB: serial: drop unnecessary goto 2019-04-30 10:25:04 +02:00
io_16654.h USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
io_edgeport.c USB: serial: io_edgeport: fix up switch fall-through comments 2019-05-03 08:01:11 +02:00
io_edgeport.h USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
io_ionsp.h USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
io_ti.c io_ti: switch to ->get_serial() 2018-10-13 00:50:38 -04:00
io_ti.h USB: serial: io_ti: fix array underflow in completion handler 2018-08-27 11:52:34 +02:00
io_usbvend.h USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
ipaq.c USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
ipw.c USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
ir-usb.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
iuu_phoenix.c USB: serial: iuu_phoenix: simplify init_termios 2019-04-26 08:38:00 +02:00
iuu_phoenix.h USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
Kconfig docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
keyspan_pda.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
keyspan_usa26msg.h USB: serial: keyspan_usa: add proper SPDX lines for .h files 2019-01-18 11:09:32 +01:00
keyspan_usa28msg.h USB: serial: keyspan_usa: add proper SPDX lines for .h files 2019-01-18 11:09:32 +01:00
keyspan_usa49msg.h USB: serial: keyspan_usa: add proper SPDX lines for .h files 2019-01-18 11:09:32 +01:00
keyspan_usa67msg.h USB: serial: keyspan_usa: add proper SPDX lines for .h files 2019-01-18 11:09:32 +01:00
keyspan_usa90msg.h USB: serial: keyspan_usa: add proper SPDX lines for .h files 2019-01-18 11:09:32 +01:00
keyspan.c USB: serial: keyspan: fix NULL-derefs on open() and write() 2019-10-04 10:57:19 +02:00
kl5kusb105.c USB: serial: kl5kusb105: remove KLSI device id 2018-07-11 10:11:29 +02:00
kl5kusb105.h USB: serial: kl5kusb105: remove KLSI device id 2018-07-11 10:11:29 +02:00
kobil_sct.c USB: serial: kobil_sct: add missing version error handling 2018-07-06 10:42:42 +02:00
kobil_sct.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Makefile-keyspan_pda_fw USB: add SPDX identifiers to all remaining Makefiles 2017-11-07 15:53:48 +01:00
mct_u232.c USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
mct_u232.h USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
metro-usb.c USB: serial: fix module-license macros 2017-11-04 11:58:00 +01:00
mos7720.c USB: serial: mos7720: fix mos_parport refcount imbalance on error path 2019-03-20 13:58:42 +01:00
mos7840.c USB: serial: mos7840: remove set but not used variables 'number, serial' 2018-12-10 10:20:44 +01:00
mxuport.c USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
navman.c USB: serial: fix module-license macros 2017-11-04 11:58:00 +01:00
omninet.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
opticon.c opticon: switch to ->get_serial() 2018-10-13 00:50:39 -04:00
option.c USB: serial: option: add support for Cinterion CLS8 devices 2019-10-04 10:57:18 +02:00
oti6858.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
oti6858.h USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
pl2303.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
pl2303.h USB: serial: pl2303: add Allied Telesis VT-Kit3 2019-05-21 11:26:14 +02:00
qcaux.c USB: serial: fix module-license macros 2017-11-04 11:58:00 +01:00
qcserial.c USB: serial: qcserial: add Sierra Wireless EM7565 2017-12-15 09:41:46 +01:00
quatech2.c USB: serial: quatech2: remove set but not used variable 'port_priv' 2018-11-12 10:08:10 +01:00
safe_serial.c USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
sierra.c USB: serial: sierra: use irqsave() in USB's complete callback 2018-06-26 15:22:25 +02:00
spcp8x5.c USB: serial: spcp8x5: simplify init_termios 2019-04-26 08:38:02 +02:00
ssu100.c ssu100: switch to ->get_serial() 2018-10-13 00:50:41 -04:00
symbolserial.c USB: serial: symbolserial: use irqsave() in USB's complete callback 2018-06-26 15:25:01 +02:00
ti_usb_3410_5052.c Merge branch 'work.tty-ioctl' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-10-24 14:43:41 +01:00
upd78f0730.c USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
usb_debug.c USB: serial: usb_debug: add new USB device id 2017-11-28 09:54:11 +01:00
usb_wwan.c usb_wwan: switch to ->[sg]et_serial() 2018-10-13 00:50:42 -04:00
usb-serial-simple.c USB: serial: simple: add Motorola Tetra TPG2200 device id 2019-01-07 16:37:52 +01:00
usb-serial.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
usb-wwan.h usb_wwan: switch to ->[sg]et_serial() 2018-10-13 00:50:42 -04:00
visor.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
visor.h docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
whiteheat.c docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
whiteheat.h docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
wishbone-serial.c USB: serial: Remove redundant license text 2017-11-04 11:55:38 +01:00
xsens_mt.c USB: serial: fix module-license macros 2017-11-04 11:58:00 +01:00