Headline
CVE-2019-15098: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe
drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.
* [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe @ 2019-08-04 0:29 Hui Peng 2019-08-10 10:13 ` Greg KH ` (2 more replies) 0 siblings, 3 replies; 6+ messages in thread From: Hui Peng @ 2019-08-04 0:29 UTC (permalink / raw) To: kvalo, davem Cc: Hui Peng, Mathias Payer, linux-wireless, netdev, linux-kernel
The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`:
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;
// get the address from endpoint descriptor
pipe\_num = ath6kl\_usb\_get\_logical\_pipe\_num(ar\_usb,
endpoint->bEndpointAddress,
&urbcount);
......
// select the pipe object
pipe = &ar\_usb->pipes\[pipe\_num\];
// initialize the ar\_usb field
pipe->ar\_usb = ar\_usb;
}
The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`.
This patch fixes the bug by preventing potential NULL-ptr-deref.
Signed-off-by: Hui Peng [email protected] Reported-by: Hui Peng [email protected] Reported-by: Mathias Payer [email protected]
drivers/net/wireless/ath/ath6kl/usb.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c index 4defb7a0330f…53b66e9434c9 100644 — a/drivers/net/wireless/ath/ath6kl/usb.c +++ b/drivers/net/wireless/ath/ath6kl/usb.c @@ -132,6 +132,10 @@ ath6kl_usb_alloc_urb_from_pipe(struct ath6kl_usb_pipe *pipe) struct ath6kl_urb_context *urb_context = NULL; unsigned long flags;
/* bail if this pipe is not initialized */
if (!pipe->ar_usb)
return NULL;
spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); if (!list_empty(&pipe->urb_list_head)) { urb_context = @@ -150,6 +154,10 @@ static void ath6kl_usb_free_urb_to_pipe(struct ath6kl_usb_pipe *pipe, { unsigned long flags;
/* bail if this pipe is not initialized */
if (!pipe->ar_usb)
return;
spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); pipe->urb_cnt++;
– 2.22.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe 2019-08-04 0:29 [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe Hui Peng @ 2019-08-10 10:13 ` Greg KH 2019-08-31 18:02 ` Guenter Roeck 2019-09-04 6:23 ` Kalle Valo 2 siblings, 0 replies; 6+ messages in thread From: Greg KH @ 2019-08-10 10:13 UTC (permalink / raw) To: Hui Peng Cc: kvalo, davem, Mathias Payer, linux-wireless, netdev, linux-kernel
On Sat, Aug 03, 2019 at 08:29:04PM -0400, Hui Peng wrote: > The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects
are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`:
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;
// get the address from endpoint descriptor pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); … // select the pipe object pipe = &ar_usb->pipes[pipe_num];
// initialize the ar_usb field pipe->ar_usb = ar_usb; }
The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`.
This patch fixes the bug by preventing potential NULL-ptr-deref.
Signed-off-by: Hui Peng [email protected] Reported-by: Hui Peng [email protected] Reported-by: Mathias Payer [email protected] Reviewed-by: Greg Kroah-Hartman [email protected]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe 2019-08-04 0:29 [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe Hui Peng 2019-08-10 10:13 ` Greg KH @ 2019-08-31 18:02 ` Guenter Roeck 2019-09-01 7:55 ` Kalle Valo [not found] ` <CAKpmkkXyhuTviRfJG9dG-=Pt0KKdoHaxhXdvW9tSadOoKfnP1w@mail.gmail.com> 2019-09-04 6:23 ` Kalle Valo 2 siblings, 2 replies; 6+ messages in thread From: Guenter Roeck @ 2019-08-31 18:02 UTC (permalink / raw) To: Hui Peng Cc: kvalo, davem, Mathias Payer, linux-wireless, netdev, linux-kernel
On Sat, Aug 03, 2019 at 08:29:04PM -0400, Hui Peng wrote: > The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects
are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`:
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;
// get the address from endpoint descriptor pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); … // select the pipe object pipe = &ar_usb->pipes[pipe_num];
// initialize the ar_usb field pipe->ar_usb = ar_usb; }
The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`.
This patch fixes the bug by preventing potential NULL-ptr-deref.
Signed-off-by: Hui Peng [email protected] Reported-by: Hui Peng [email protected] Reported-by: Mathias Payer [email protected] I don’t see this patch in the upstream kernel or in -next.
At the same time, it is supposed to fix CVE-2019-15098, which has a CVSS v2.0 score of 7.8 (high).
Is this patch going to be applied to the upstream kernel ? If not, are there reasons to believe that the vulnerability is not as severe as its CVSS score indicates ?
Thanks, Guenter
> —
drivers/net/wireless/ath/ath6kl/usb.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c index 4defb7a0330f…53b66e9434c9 100644 — a/drivers/net/wireless/ath/ath6kl/usb.c +++ b/drivers/net/wireless/ath/ath6kl/usb.c @@ -132,6 +132,10 @@ ath6kl_usb_alloc_urb_from_pipe(struct ath6kl_usb_pipe *pipe) struct ath6kl_urb_context *urb_context = NULL; unsigned long flags;
/* bail if this pipe is not initialized */
if (!pipe->ar_usb)
return NULL;
spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); if (!list_empty(&pipe->urb_list_head)) { urb_context = @@ -150,6 +154,10 @@ static void ath6kl_usb_free_urb_to_pipe(struct ath6kl_usb_pipe *pipe, { unsigned long flags;
/* bail if this pipe is not initialized */
if (!pipe->ar_usb)
return;
spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); pipe->urb_cnt++;
– 2.22.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe 2019-08-31 18:02 ` Guenter Roeck @ 2019-09-01 7:55 ` Kalle Valo [not found] ` <CAKpmkkXyhuTviRfJG9dG-=Pt0KKdoHaxhXdvW9tSadOoKfnP1w@mail.gmail.com> 1 sibling, 0 replies; 6+ messages in thread From: Kalle Valo @ 2019-09-01 7:55 UTC (permalink / raw) To: Guenter Roeck Cc: Hui Peng, davem, Mathias Payer, linux-wireless, netdev, linux-kernel
Guenter Roeck [email protected] writes:
> On Sat, Aug 03, 2019 at 08:29:04PM -0400, Hui Peng wrote:
The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`:
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;
// get the address from endpoint descriptor pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); … // select the pipe object pipe = &ar_usb->pipes[pipe_num];
// initialize the ar_usb field pipe->ar_usb = ar_usb; }
The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`.
This patch fixes the bug by preventing potential NULL-ptr-deref.
Signed-off-by: Hui Peng [email protected] Reported-by: Hui Peng [email protected] Reported-by: Mathias Payer [email protected]
I don’t see this patch in the upstream kernel or in -next.
At the same time, it is supposed to fix CVE-2019-15098, which has a CVSS v2.0 score of 7.8 (high).
Is this patch going to be applied to the upstream kernel ? Lately I have been very busy and I have not had a chance to apply ath6kl nor ath10k patches. This patch is on my queue and my plan is to go
through my patch queue next week.
– https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe [not found] ` <CAKpmkkXyhuTviRfJG9dG-=Pt0KKdoHaxhXdvW9tSadOoKfnP1w@mail.gmail.com> @ 2019-09-01 7:58 ` Kalle Valo 0 siblings, 0 replies; 6+ messages in thread From: Kalle Valo @ 2019-09-01 7:58 UTC (permalink / raw) To: Hui Peng Cc: Guenter Roeck, David S. Miller, Mathias Payer, linux-wireless, netdev, linux-kernel
Hui Peng [email protected] writes:
> The reason that this patch is still in the pending state is that it
has not reviewed by maintainers (they are not responding). @Greg: can we apply it? Who is “we” in this case? But anyway, I’ll review the patch and if it’s ok I’ll take it through my ath.git tree, as normal.
– https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe 2019-08-04 0:29 [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe Hui Peng 2019-08-10 10:13 ` Greg KH 2019-08-31 18:02 ` Guenter Roeck @ 2019-09-04 6:23 ` Kalle Valo 2 siblings, 0 replies; 6+ messages in thread From: Kalle Valo @ 2019-09-04 6:23 UTC (permalink / raw) To: Hui Peng Cc: davem, Hui Peng, Mathias Payer, linux-wireless, netdev, linux-kernel
Hui Peng [email protected] wrote:
> The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects
are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`:
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;
// get the address from endpoint descriptor pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); … // select the pipe object pipe = &ar_usb->pipes[pipe_num];
// initialize the ar_usb field pipe->ar_usb = ar_usb; }
The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`.
This patch fixes the bug by preventing potential NULL-ptr-deref (CVE-2019-15098).
Signed-off-by: Hui Peng [email protected] Reported-by: Hui Peng [email protected] Reported-by: Mathias Payer [email protected] Reviewed-by: Greg Kroah-Hartman [email protected] Signed-off-by: Kalle Valo [email protected] Patch applied to ath-next branch of ath.git, thanks.
39d170b3cb62 ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()
– https://patchwork.kernel.org/patch/11074655/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-09-04 6:24 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2019-08-04 0:29 [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe Hui Peng 2019-08-10 10:13 ` Greg KH 2019-08-31 18:02 ` Guenter Roeck 2019-09-01 7:55 ` Kalle Valo [not found] ` <CAKpmkkXyhuTviRfJG9dG-=Pt0KKdoHaxhXdvW9tSadOoKfnP1w@mail.gmail.com> 2019-09-01 7:58 ` Kalle Valo 2019-09-04 6:23 ` Kalle Valo
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).
Related news
In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.