mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-28 11:18:45 +07:00
39d170b3cb
The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects
are initialized to point to the containing `ath6kl_usb` object
according to endpoint descriptors read from the device side, as shown
below in `ath6kl_usb_setup_pipe_resources`:
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
endpoint = &iface_desc->endpoint[i].desc;
// get the address from endpoint descriptor
pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb,
endpoint->bEndpointAddress,
&urbcount);
......
// select the pipe object
pipe = &ar_usb->pipes[pipe_num];
// initialize the ar_usb field
pipe->ar_usb = ar_usb;
}
The driver assumes that the addresses reported in endpoint
descriptors from device side to be complete. If a device is
malicious and does not report complete addresses, it may trigger
NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and
`ath6kl_usb_free_urb_to_pipe`.
This patch fixes the bug by preventing potential NULL-ptr-deref
(CVE-2019-15098).
Signed-off-by: Hui Peng <benquike@gmail.com>
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||
|---|---|---|
| .. | ||
| ar5523 | ||
| ath5k | ||
| ath6kl | ||
| ath9k | ||
| ath10k | ||
| carl9170 | ||
| wcn36xx | ||
| wil6210 | ||
| ath.h | ||
| debug.c | ||
| dfs_pattern_detector.c | ||
| dfs_pattern_detector.h | ||
| dfs_pri_detector.c | ||
| dfs_pri_detector.h | ||
| hw.c | ||
| Kconfig | ||
| key.c | ||
| main.c | ||
| Makefile | ||
| reg.h | ||
| regd_common.h | ||
| regd.c | ||
| regd.h | ||
| spectral_common.h | ||
| trace.c | ||
| trace.h | ||