mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	go7007: add sanity checking for endpoints
A malicious USB device may lack endpoints the driver assumes to exist
Accessing them leads to NULL pointer accesses. This patch introduces
sanity checking.
Reported-and-tested-by: syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Fixes: 866b8695d6 ("Staging: add the go7007 video driver")
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
			
			
This commit is contained in:
		
							parent
							
								
									ebeacb1f61
								
							
						
					
					
						commit
						137641287e
					
				| @ -1132,6 +1132,10 @@ static int go7007_usb_probe(struct usb_interface *intf, | ||||
| 		go->hpi_ops = &go7007_usb_onboard_hpi_ops; | ||||
| 	go->hpi_context = usb; | ||||
| 
 | ||||
| 	ep = usb->usbdev->ep_in[4]; | ||||
| 	if (!ep) | ||||
| 		return -ENODEV; | ||||
| 
 | ||||
| 	/* Allocate the URB and buffer for receiving incoming interrupts */ | ||||
| 	usb->intr_urb = usb_alloc_urb(0, GFP_KERNEL); | ||||
| 	if (usb->intr_urb == NULL) | ||||
| @ -1141,7 +1145,6 @@ static int go7007_usb_probe(struct usb_interface *intf, | ||||
| 	if (usb->intr_urb->transfer_buffer == NULL) | ||||
| 		goto allocfail; | ||||
| 
 | ||||
| 	ep = usb->usbdev->ep_in[4]; | ||||
| 	if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) | ||||
| 		usb_fill_bulk_urb(usb->intr_urb, usb->usbdev, | ||||
| 			usb_rcvbulkpipe(usb->usbdev, 4), | ||||
| @ -1263,9 +1266,13 @@ static int go7007_usb_probe(struct usb_interface *intf, | ||||
| 
 | ||||
| 	/* Allocate the URBs and buffers for receiving the video stream */ | ||||
| 	if (board->flags & GO7007_USB_EZUSB) { | ||||
| 		if (!usb->usbdev->ep_in[6]) | ||||
| 			goto allocfail; | ||||
| 		v_urb_len = 1024; | ||||
| 		video_pipe = usb_rcvbulkpipe(usb->usbdev, 6); | ||||
| 	} else { | ||||
| 		if (!usb->usbdev->ep_in[1]) | ||||
| 			goto allocfail; | ||||
| 		v_urb_len = 512; | ||||
| 		video_pipe = usb_rcvbulkpipe(usb->usbdev, 1); | ||||
| 	} | ||||
| @ -1285,6 +1292,8 @@ static int go7007_usb_probe(struct usb_interface *intf, | ||||
| 	/* Allocate the URBs and buffers for receiving the audio stream */ | ||||
| 	if ((board->flags & GO7007_USB_EZUSB) && | ||||
| 	    (board->main_info.flags & GO7007_BOARD_HAS_AUDIO)) { | ||||
| 		if (!usb->usbdev->ep_in[8]) | ||||
| 			goto allocfail; | ||||
| 		for (i = 0; i < 8; ++i) { | ||||
| 			usb->audio_urbs[i] = usb_alloc_urb(0, GFP_KERNEL); | ||||
| 			if (usb->audio_urbs[i] == NULL) | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Oliver Neukum
						Oliver Neukum