releases/5.7.16/go7007-add-sanity-checking-for-endpoints.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From bc1c145c4b8e080c0e18c8286c2a9570f2a4b160 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Tue, 5 May 2020 12:50:33 +0200
 Subject: go7007: add sanity checking for endpoints

 From: Oliver Neukum <oneukum@suse.com>

 [ Upstream commit 137641287eb40260783a4413847a0aef06023a6c ]

 A malicious USB device may lack endpoints the driver assumes to exist
 Accessing them leads to NULL pointer accesses. This patch introduces
 sanity checking.

 Reported-and-tested-by: syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com

 Signed-off-by: Oliver Neukum <oneukum@suse.com>
 Fixes: 866b8695d67e8 ("Staging: add the go7007 video driver")
 Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
 Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/media/usb/go7007/go7007-usb.c | 11 ++++++++++-
  1 file changed, 10 insertions(+), 1 deletion(-)

 diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c
 index f889c9d740cd1..dbf0455d5d50d 100644
 --- a/drivers/media/usb/go7007/go7007-usb.c
 +++ b/drivers/media/usb/go7007/go7007-usb.c
 @@ -1132,6 +1132,10 @@ static int go7007_usb_probe(struct usb_interface *intf,
  		go->hpi_ops = &go7007_usb_onboard_hpi_ops;
  	go->hpi_context = usb;

 +	ep = usb->usbdev->ep_in[4];
 +	if (!ep)
 +		return -ENODEV;
 +
  	/* Allocate the URB and buffer for receiving incoming interrupts */
  	usb->intr_urb = usb_alloc_urb(0, GFP_KERNEL);
  	if (usb->intr_urb == NULL)
 @@ -1141,7 +1145,6 @@ static int go7007_usb_probe(struct usb_interface *intf,
  	if (usb->intr_urb->transfer_buffer == NULL)
  		goto allocfail;

 -	ep = usb->usbdev->ep_in[4];
  	if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
  		usb_fill_bulk_urb(usb->intr_urb, usb->usbdev,
  			usb_rcvbulkpipe(usb->usbdev, 4),
 @@ -1263,9 +1266,13 @@ static int go7007_usb_probe(struct usb_interface *intf,

  	/* Allocate the URBs and buffers for receiving the video stream */
  	if (board->flags & GO7007_USB_EZUSB) {
 +		if (!usb->usbdev->ep_in[6])
 +			goto allocfail;
  		v_urb_len = 1024;
  		video_pipe = usb_rcvbulkpipe(usb->usbdev, 6);
  	} else {
 +		if (!usb->usbdev->ep_in[1])
 +			goto allocfail;
  		v_urb_len = 512;
  		video_pipe = usb_rcvbulkpipe(usb->usbdev, 1);
  	}
 @@ -1285,6 +1292,8 @@ static int go7007_usb_probe(struct usb_interface *intf,
  	/* Allocate the URBs and buffers for receiving the audio stream */
  	if ((board->flags & GO7007_USB_EZUSB) &&
  	    (board->main_info.flags & GO7007_BOARD_HAS_AUDIO)) {
 +		if (!usb->usbdev->ep_in[8])
 +			goto allocfail;
  		for (i = 0; i < 8; ++i) {
  			usb->audio_urbs[i] = usb_alloc_urb(0, GFP_KERNEL);
  			if (usb->audio_urbs[i] == NULL)
 --
 2.25.1
	From bc1c145c4b8e080c0e18c8286c2a9570f2a4b160 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Tue, 5 May 2020 12:50:33 +0200
	Subject: go7007: add sanity checking for endpoints

	From: Oliver Neukum <oneukum@suse.com>

	[ Upstream commit 137641287eb40260783a4413847a0aef06023a6c ]

	A malicious USB device may lack endpoints the driver assumes to exist
	Accessing them leads to NULL pointer accesses. This patch introduces
	sanity checking.

	Reported-and-tested-by: syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com

	Signed-off-by: Oliver Neukum <oneukum@suse.com>
	Fixes: 866b8695d67e8 ("Staging: add the go7007 video driver")
	Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
	Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/media/usb/go7007/go7007-usb.c \| 11 ++++++++++-
	1 file changed, 10 insertions(+), 1 deletion(-)

	diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c
	index f889c9d740cd1..dbf0455d5d50d 100644
	--- a/drivers/media/usb/go7007/go7007-usb.c
	+++ b/drivers/media/usb/go7007/go7007-usb.c
	@@ -1132,6 +1132,10 @@ static int go7007_usb_probe(struct usb_interface *intf,
	go->hpi_ops = &go7007_usb_onboard_hpi_ops;
	go->hpi_context = usb;

	+ ep = usb->usbdev->ep_in[4];
	+ if (!ep)
	+ return -ENODEV;
	+
	/* Allocate the URB and buffer for receiving incoming interrupts */
	usb->intr_urb = usb_alloc_urb(0, GFP_KERNEL);
	if (usb->intr_urb == NULL)
	@@ -1141,7 +1145,6 @@ static int go7007_usb_probe(struct usb_interface *intf,
	if (usb->intr_urb->transfer_buffer == NULL)
	goto allocfail;

	- ep = usb->usbdev->ep_in[4];
	if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
	usb_fill_bulk_urb(usb->intr_urb, usb->usbdev,
	usb_rcvbulkpipe(usb->usbdev, 4),
	@@ -1263,9 +1266,13 @@ static int go7007_usb_probe(struct usb_interface *intf,

	/* Allocate the URBs and buffers for receiving the video stream */
	if (board->flags & GO7007_USB_EZUSB) {
	+ if (!usb->usbdev->ep_in[6])
	+ goto allocfail;
	v_urb_len = 1024;
	video_pipe = usb_rcvbulkpipe(usb->usbdev, 6);
	} else {
	+ if (!usb->usbdev->ep_in[1])
	+ goto allocfail;
	v_urb_len = 512;
	video_pipe = usb_rcvbulkpipe(usb->usbdev, 1);
	}
	@@ -1285,6 +1292,8 @@ static int go7007_usb_probe(struct usb_interface *intf,
	/* Allocate the URBs and buffers for receiving the audio stream */
	if ((board->flags & GO7007_USB_EZUSB) &&
	(board->main_info.flags & GO7007_BOARD_HAS_AUDIO)) {
	+ if (!usb->usbdev->ep_in[8])
	+ goto allocfail;
	for (i = 0; i < 8; ++i) {
	usb->audio_urbs[i] = usb_alloc_urb(0, GFP_KERNEL);
	if (usb->audio_urbs[i] == NULL)
	--
	2.25.1