Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-15098: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe

drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.

CVE
#vulnerability#linux#git

* [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe @ 2019-08-04 0:29 Hui Peng 2019-08-10 10:13 ` Greg KH ` (2 more replies) 0 siblings, 3 replies; 6+ messages in thread From: Hui Peng @ 2019-08-04 0:29 UTC (permalink / raw) To: kvalo, davem Cc: Hui Peng, Mathias Payer, linux-wireless, netdev, linux-kernel

The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`:

for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;

// get the address from endpoint descriptor
pipe\_num = ath6kl\_usb\_get\_logical\_pipe\_num(ar\_usb,
                    endpoint->bEndpointAddress,
                    &urbcount);
......
// select the pipe object
pipe = &ar\_usb->pipes\[pipe\_num\];

// initialize the ar\_usb field
pipe->ar\_usb = ar\_usb;

}

The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`.

This patch fixes the bug by preventing potential NULL-ptr-deref.

Signed-off-by: Hui Peng [email protected] Reported-by: Hui Peng [email protected] Reported-by: Mathias Payer [email protected]


drivers/net/wireless/ath/ath6kl/usb.c | 8 ++++++++ 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c index 4defb7a0330f…53b66e9434c9 100644 — a/drivers/net/wireless/ath/ath6kl/usb.c +++ b/drivers/net/wireless/ath/ath6kl/usb.c @@ -132,6 +132,10 @@ ath6kl_usb_alloc_urb_from_pipe(struct ath6kl_usb_pipe *pipe) struct ath6kl_urb_context *urb_context = NULL; unsigned long flags;

  • /* bail if this pipe is not initialized */

  • if (!pipe->ar_usb)

  •   return NULL;
    
  • spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); if (!list_empty(&pipe->urb_list_head)) { urb_context = @@ -150,6 +154,10 @@ static void ath6kl_usb_free_urb_to_pipe(struct ath6kl_usb_pipe *pipe, { unsigned long flags;

  • /* bail if this pipe is not initialized */

  • if (!pipe->ar_usb)

  •   return;
    
  • spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); pipe->urb_cnt++;

– 2.22.0

^ permalink raw reply related [flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe 2019-08-04 0:29 [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe Hui Peng @ 2019-08-10 10:13 ` Greg KH 2019-08-31 18:02 ` Guenter Roeck 2019-09-04 6:23 ` Kalle Valo 2 siblings, 0 replies; 6+ messages in thread From: Greg KH @ 2019-08-10 10:13 UTC (permalink / raw) To: Hui Peng Cc: kvalo, davem, Mathias Payer, linux-wireless, netdev, linux-kernel

On Sat, Aug 03, 2019 at 08:29:04PM -0400, Hui Peng wrote: > The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects

are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`:

for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;

// get the address from endpoint descriptor pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); … // select the pipe object pipe = &ar_usb->pipes[pipe_num];

// initialize the ar_usb field pipe->ar_usb = ar_usb; }

The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`.

This patch fixes the bug by preventing potential NULL-ptr-deref.

Signed-off-by: Hui Peng [email protected] Reported-by: Hui Peng [email protected] Reported-by: Mathias Payer [email protected] Reviewed-by: Greg Kroah-Hartman [email protected]

^ permalink raw reply [flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe 2019-08-04 0:29 [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe Hui Peng 2019-08-10 10:13 ` Greg KH @ 2019-08-31 18:02 ` Guenter Roeck 2019-09-01 7:55 ` Kalle Valo [not found] ` <CAKpmkkXyhuTviRfJG9dG-=Pt0KKdoHaxhXdvW9tSadOoKfnP1w@mail.gmail.com> 2019-09-04 6:23 ` Kalle Valo 2 siblings, 2 replies; 6+ messages in thread From: Guenter Roeck @ 2019-08-31 18:02 UTC (permalink / raw) To: Hui Peng Cc: kvalo, davem, Mathias Payer, linux-wireless, netdev, linux-kernel

On Sat, Aug 03, 2019 at 08:29:04PM -0400, Hui Peng wrote: > The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects

are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`:

for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;

// get the address from endpoint descriptor pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); … // select the pipe object pipe = &ar_usb->pipes[pipe_num];

// initialize the ar_usb field pipe->ar_usb = ar_usb; }

The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`.

This patch fixes the bug by preventing potential NULL-ptr-deref.

Signed-off-by: Hui Peng [email protected] Reported-by: Hui Peng [email protected] Reported-by: Mathias Payer [email protected] I don’t see this patch in the upstream kernel or in -next.

At the same time, it is supposed to fix CVE-2019-15098, which has a CVSS v2.0 score of 7.8 (high).

Is this patch going to be applied to the upstream kernel ? If not, are there reasons to believe that the vulnerability is not as severe as its CVSS score indicates ?

Thanks, Guenter

> —

drivers/net/wireless/ath/ath6kl/usb.c | 8 ++++++++ 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c index 4defb7a0330f…53b66e9434c9 100644 — a/drivers/net/wireless/ath/ath6kl/usb.c +++ b/drivers/net/wireless/ath/ath6kl/usb.c @@ -132,6 +132,10 @@ ath6kl_usb_alloc_urb_from_pipe(struct ath6kl_usb_pipe *pipe) struct ath6kl_urb_context *urb_context = NULL; unsigned long flags;

  • /* bail if this pipe is not initialized */

  • if (!pipe->ar_usb)

  • return NULL;
    
  • spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); if (!list_empty(&pipe->urb_list_head)) { urb_context = @@ -150,6 +154,10 @@ static void ath6kl_usb_free_urb_to_pipe(struct ath6kl_usb_pipe *pipe, { unsigned long flags;

  • /* bail if this pipe is not initialized */

  • if (!pipe->ar_usb)

  • return;
    
  • spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); pipe->urb_cnt++;

– 2.22.0

^ permalink raw reply [flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe 2019-08-31 18:02 ` Guenter Roeck @ 2019-09-01 7:55 ` Kalle Valo [not found] ` <CAKpmkkXyhuTviRfJG9dG-=Pt0KKdoHaxhXdvW9tSadOoKfnP1w@mail.gmail.com> 1 sibling, 0 replies; 6+ messages in thread From: Kalle Valo @ 2019-09-01 7:55 UTC (permalink / raw) To: Guenter Roeck Cc: Hui Peng, davem, Mathias Payer, linux-wireless, netdev, linux-kernel

Guenter Roeck [email protected] writes:

> On Sat, Aug 03, 2019 at 08:29:04PM -0400, Hui Peng wrote:

The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`:

for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;

// get the address from endpoint descriptor pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); … // select the pipe object pipe = &ar_usb->pipes[pipe_num];

// initialize the ar_usb field pipe->ar_usb = ar_usb; }

The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`.

This patch fixes the bug by preventing potential NULL-ptr-deref.

Signed-off-by: Hui Peng [email protected] Reported-by: Hui Peng [email protected] Reported-by: Mathias Payer [email protected]

I don’t see this patch in the upstream kernel or in -next.

At the same time, it is supposed to fix CVE-2019-15098, which has a CVSS v2.0 score of 7.8 (high).

Is this patch going to be applied to the upstream kernel ? Lately I have been very busy and I have not had a chance to apply ath6kl nor ath10k patches. This patch is on my queue and my plan is to go

through my patch queue next week.

– https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply [flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe [not found] ` <CAKpmkkXyhuTviRfJG9dG-=Pt0KKdoHaxhXdvW9tSadOoKfnP1w@mail.gmail.com> @ 2019-09-01 7:58 ` Kalle Valo 0 siblings, 0 replies; 6+ messages in thread From: Kalle Valo @ 2019-09-01 7:58 UTC (permalink / raw) To: Hui Peng Cc: Guenter Roeck, David S. Miller, Mathias Payer, linux-wireless, netdev, linux-kernel

Hui Peng [email protected] writes:

> The reason that this patch is still in the pending state is that it

has not reviewed by maintainers (they are not responding). @Greg: can we apply it? Who is “we” in this case? But anyway, I’ll review the patch and if it’s ok I’ll take it through my ath.git tree, as normal.

– https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply [flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe 2019-08-04 0:29 [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe Hui Peng 2019-08-10 10:13 ` Greg KH 2019-08-31 18:02 ` Guenter Roeck @ 2019-09-04 6:23 ` Kalle Valo 2 siblings, 0 replies; 6+ messages in thread From: Kalle Valo @ 2019-09-04 6:23 UTC (permalink / raw) To: Hui Peng Cc: davem, Hui Peng, Mathias Payer, linux-wireless, netdev, linux-kernel

Hui Peng [email protected] wrote:

> The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects

are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`:

for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;

// get the address from endpoint descriptor pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); … // select the pipe object pipe = &ar_usb->pipes[pipe_num];

// initialize the ar_usb field pipe->ar_usb = ar_usb; }

The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`.

This patch fixes the bug by preventing potential NULL-ptr-deref (CVE-2019-15098).

Signed-off-by: Hui Peng [email protected] Reported-by: Hui Peng [email protected] Reported-by: Mathias Payer [email protected] Reviewed-by: Greg Kroah-Hartman [email protected] Signed-off-by: Kalle Valo [email protected] Patch applied to ath-next branch of ath.git, thanks.

39d170b3cb62 ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()

– https://patchwork.kernel.org/patch/11074655/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply [flat|nested] 6+ messages in thread

end of thread, other threads:[~2019-09-04 6:24 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2019-08-04 0:29 [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe Hui Peng 2019-08-10 10:13 ` Greg KH 2019-08-31 18:02 ` Guenter Roeck 2019-09-01 7:55 ` Kalle Valo [not found] ` <CAKpmkkXyhuTviRfJG9dG-=Pt0KKdoHaxhXdvW9tSadOoKfnP1w@mail.gmail.com> 2019-09-01 7:58 ` Kalle Valo 2019-09-04 6:23 ` Kalle Valo

This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).

Related news

CVE-2019-19526

In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907