Skip to content

Commit

Permalink
Input: powermate - fix oops with malicious USB descriptors
Browse files Browse the repository at this point in the history 
The powermate driver expects at least one valid USB endpoint in its
probe function.  If given malicious descriptors that specify 0 for
the number of endpoints, it will crash.  Validate the number of
endpoints on the interface before using them.

The full report for this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/85

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
  • Loading branch information
@dtor
Josh Boyer authored and dtor committed Mar 14, 2016
1 parent 9979c1c commit 9c6ba45
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions drivers/input/misc/powermate.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
int error = -ENOMEM;

interface = intf->cur_altsetting;
if (interface->desc.bNumEndpoints < 1)
return -EINVAL;

endpoint = &interface->endpoint[0].desc;
if (!usb_endpoint_is_int_in(endpoint))
return -EIO;
Expand Down

0 comments on commit 9c6ba45

Please sign in to comment.