| Message ID | 20180720124844.14824-2-colin.king@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | media: imon: Fix null-ptr-deref in imon_probe | expand |
On 20.07.2018 14:48, Colin King wrote: > From: Arvind Yadav <arvind.yadav.cs@gmail.com> > > CVE-2017-16537 > > It seems that the return value of usb_ifnum_to_if() can be NULL and > needs to be checked. > > Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> > Tested-by: Andrey Konovalov <andreyknvl@google.com> > Signed-off-by: Sean Young <sean@mess.org> > Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> > (clean upstream cherry pick from commit 58fd55e838276a0c13d1dc7c387f90f25063cbf3) > Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- -> (cherry picked from commit 58fd55e838276a0c13d1dc7c387f90f25063cbf3) > drivers/media/rc/imon.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c > index 9724fe8..9fef8cc 100644 > --- a/drivers/media/rc/imon.c > +++ b/drivers/media/rc/imon.c > @@ -2515,6 +2515,11 @@ static int imon_probe(struct usb_interface *interface, > mutex_lock(&driver_lock); > > first_if = usb_ifnum_to_if(usbdev, 0); > + if (!first_if) { > + ret = -ENODEV; > + goto fail; > + } > + > first_if_ctx = usb_get_intfdata(first_if); > > if (ifnum == 0) { >
On 07/20/18 14:48, Colin King wrote: > From: Arvind Yadav <arvind.yadav.cs@gmail.com> > > CVE-2017-16537 > > It seems that the return value of usb_ifnum_to_if() can be NULL and > needs to be checked. > > Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> > Tested-by: Andrey Konovalov <andreyknvl@google.com> > Signed-off-by: Sean Young <sean@mess.org> > Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> > (clean upstream cherry pick from commit 58fd55e838276a0c13d1dc7c387f90f25063cbf3) > Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/media/rc/imon.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c > index 9724fe8..9fef8cc 100644 > --- a/drivers/media/rc/imon.c > +++ b/drivers/media/rc/imon.c > @@ -2515,6 +2515,11 @@ static int imon_probe(struct usb_interface *interface, > mutex_lock(&driver_lock); > > first_if = usb_ifnum_to_if(usbdev, 0); > + if (!first_if) { > + ret = -ENODEV; > + goto fail; > + } > + > first_if_ctx = usb_get_intfdata(first_if); > > if (ifnum == 0) { >
Applied to trusty master-next. ...Juerg On 07/20/2018 02:48 PM, Colin King wrote: > From: Arvind Yadav <arvind.yadav.cs@gmail.com> > > CVE-2017-16537 > > It seems that the return value of usb_ifnum_to_if() can be NULL and > needs to be checked. > > Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> > Tested-by: Andrey Konovalov <andreyknvl@google.com> > Signed-off-by: Sean Young <sean@mess.org> > Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> > (clean upstream cherry pick from commit 58fd55e838276a0c13d1dc7c387f90f25063cbf3) > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > drivers/media/rc/imon.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c > index 9724fe8..9fef8cc 100644 > --- a/drivers/media/rc/imon.c > +++ b/drivers/media/rc/imon.c > @@ -2515,6 +2515,11 @@ static int imon_probe(struct usb_interface *interface, > mutex_lock(&driver_lock); > > first_if = usb_ifnum_to_if(usbdev, 0); > + if (!first_if) { > + ret = -ENODEV; > + goto fail; > + } > + > first_if_ctx = usb_get_intfdata(first_if); > > if (ifnum == 0) { >
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c index 9724fe8..9fef8cc 100644 --- a/drivers/media/rc/imon.c +++ b/drivers/media/rc/imon.c @@ -2515,6 +2515,11 @@ static int imon_probe(struct usb_interface *interface, mutex_lock(&driver_lock); first_if = usb_ifnum_to_if(usbdev, 0); + if (!first_if) { + ret = -ENODEV; + goto fail; + } + first_if_ctx = usb_get_intfdata(first_if); if (ifnum == 0) {