On Thu, Apr 11, 2019 at 10:51:47AM +0800, Yang Xiao wrote:
> Hi,
> 
> There are NULL pointer deferences in the function stk_camera_probe in
> drivers/media/usb/stkwebcam/stk-webcam.c and function s2255_probe in
> drivers/media/usb/s2255/s2255drv.c, which allows proximate attackers
> to cause a denial of service via a crafted endpoints value in USB
> device descriptor.
> 
> 1286 static int stk_camera_probe(struct usb_interface *interface,
> 1287          const struct usb_device_id *id)
>         ...
> 1351  iface_desc = interface->cur_altsetting;
> 1352
> 1353  for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
> 1354          endpoint = &iface_desc->endpoint[i].desc;
> 1355
> 1356          if (!dev->isoc_ep
> 1357                  && usb_endpoint_is_isoc_in(endpoint)) {
> 1358                  /* we found an isoc in endpoint */
> 1359                  dev->isoc_ep = usb_endpoint_num(endpoint);
> 1360                  break;
> 1361          }
> 1362  }
> 
> The driver expects at least one valid endpoint. If given malicious
> descriptors that specify 0 for the number of endpoints, it will crash
> in the probe function (NULL POINTER DEFERENCE in line 1354).
> 
> The same reason to function s2255_probe.
> 
> The reason of this vulnerability is the same as CVE-2016-2188, which
> was fixed in commit 4ec0ef3a82125efc36173062a50624550a900ae0.

Can you please resend your patch in a format that I can apply it in?

Actually, it needs to go to the correct maintainer/subsystem, please use
scripts/get_maintainer.pl on your patch to determine that.

thanks,

greg k-h

Reply via email to