Message ID | 1365511602-15193-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On 09/04/13 13:46, Luis Henriques wrote: > From: Wolfgang Frisch <wfpub@roembden.net> > > CVE-2013-1774 > > BugLink: http://bugs.launchpad.net/bugs/1143817 > > The tty is NULL when the port is hanging up. > chase_port() needs to check for this. > > This patch is intended for stable series. > The behavior was observed and tested in Linux 3.2 and 3.7.1. > > Johan Hovold submitted a more elaborate patch for the mainline kernel. > > [ 56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84 > [ 56.278811] usb 1-1: USB disconnect, device number 3 > [ 56.278856] usb 1-1: edge_bulk_in_callback - stopping read! > [ 56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8 > [ 56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35 > [ 56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0 > [ 56.282085] Oops: 0002 [#1] SMP > [ 56.282744] Modules linked in: > [ 56.283512] CPU 1 > [ 56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox > [ 56.283512] RIP: 0010:[<ffffffff8144e62a>] [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35 > [ 56.283512] RSP: 0018:ffff88001fa99ab0 EFLAGS: 00010046 > [ 56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064 > [ 56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8 > [ 56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000 > [ 56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0 > [ 56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4 > [ 56.283512] FS: 0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000 > [ 56.283512] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > [ 56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0 > [ 56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > [ 56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80) > [ 56.283512] Stack: > [ 56.283512] 0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c > [ 56.283512] ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001 > [ 56.283512] ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296 > [ 56.283512] Call Trace: > [ 56.283512] [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c > [ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28 > [ 56.283512] [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6 > [ 56.283512] [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199 > [ 56.283512] [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298 > [ 56.283512] [<ffffffff81300171>] ? edge_close+0x64/0x129 > [ 56.283512] [<ffffffff810612f7>] ? __wake_up+0x35/0x46 > [ 56.283512] [<ffffffff8106135b>] ? should_resched+0x5/0x23 > [ 56.283512] [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44 > [ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28 > [ 56.283512] [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351 > [ 56.283512] [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed > [ 56.283512] [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35 > [ 56.283512] [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2 > [ 56.283512] [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131 > [ 56.283512] [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5 > [ 56.283512] [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25 > [ 56.283512] [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7 > [ 56.283512] [<ffffffff8128b7a3>] ? device_del+0x119/0x167 > [ 56.283512] [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180 > [ 56.283512] [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6 > [ 56.283512] [<ffffffff812e4435>] ? hub_thread+0x577/0xe82 > [ 56.283512] [<ffffffff8144daa7>] ? __schedule+0x490/0x4be > [ 56.283512] [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79 > [ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f > [ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f > [ 56.283512] [<ffffffff810570b4>] ? kthread+0x81/0x89 > [ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c > [ 56.283512] [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0 > [ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c > [ 56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00 > <f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66 > [ 56.283512] RIP [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35 > [ 56.283512] RSP <ffff88001fa99ab0> > [ 56.283512] CR2: 00000000000001c8 > [ 56.283512] ---[ end trace 49714df27e1679ce ]--- > > Signed-off-by: Wolfgang Frisch <wfpub@roembden.net> > Cc: Johan Hovold <jhovold@gmail.com> > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > drivers/usb/serial/io_ti.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c > index 14d51e6..cf515f0 100644 > --- a/drivers/usb/serial/io_ti.c > +++ b/drivers/usb/serial/io_ti.c > @@ -574,6 +574,9 @@ static void chase_port(struct edgeport_port *port, unsigned long timeout, > wait_queue_t wait; > unsigned long flags; > > + if (!tty) > + return; > + > if (!timeout) > timeout = (HZ * EDGE_CLOSING_WAIT)/100; > > Clean upstream cherry pick, avoids NULL pointer oops, looks OK. Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c index 14d51e6..cf515f0 100644 --- a/drivers/usb/serial/io_ti.c +++ b/drivers/usb/serial/io_ti.c @@ -574,6 +574,9 @@ static void chase_port(struct edgeport_port *port, unsigned long timeout, wait_queue_t wait; unsigned long flags; + if (!tty) + return; + if (!timeout) timeout = (HZ * EDGE_CLOSING_WAIT)/100;