linux-stable.git/drivers/usb/wusbcore, branch linux-4.9.y Linux kernel stable tree usb: wusbcore: security: cast sizeof to int for comparison 2018-10-04T00:01:45+00:00 Julia Lawall Julia.Lawall@lip6.fr 2018-07-01T17:32:04+00:00 ad04608260af5216d33ad74ada77bde42239b95d [ Upstream commit d3ac5598c5010a8999978ebbcca3b1c6188ca36b ] Comparing an int to a size, which is unsigned, causes the int to become unsigned, giving the wrong result. usb_get_descriptor can return a negative error code. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ int x; expression e,e1; identifier f; @@ *x = f(...); ... when != x = e1 when != if (x < 0 || ...) { ... return ...; } *x < sizeof(e) // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit d3ac5598c5010a8999978ebbcca3b1c6188ca36b ]

Comparing an int to a size, which is unsigned, causes the int to become
unsigned, giving the wrong result.  usb_get_descriptor can return a
negative error code.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
int x;
expression e,e1;
identifier f;
@@

*x = f(...);
... when != x = e1
    when != if (x < 0 || ...) { ... return ...; }
*x < sizeof(e)
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: wusbcore: fix NULL-deref at probe 2017-03-30T07:41:24+00:00 Johan Hovold johan@kernel.org 2017-03-13T12:47:51+00:00 46aeeb2ac18acdaee65355d335b63fa2a49ac01b commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream. Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer or accessing memory beyond the endpoint array should a malicious device lack the expected endpoints. This specifically fixes the NULL-pointer dereference when probing HWA HC devices. Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core") Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com> Cc: David Vrabel <david.vrabel@csr.com> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

This specifically fixes the NULL-pointer dereference when probing HWA HC
devices.

Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core")
Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
Cc: David Vrabel <david.vrabel@csr.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
wusbcore: Fix one more crypto-on-the-stack bug 2017-01-19T19:18:01+00:00 Andy Lutomirski luto@kernel.org 2016-12-14T02:50:13+00:00 88d3670a1de4246cd40dfacdc21289b313caf5ed commit 620f1a632ebcc9811c2f8009ba52297c7006f805 upstream. The driver put a constant buffer of all zeros on the stack and pointed a scatterlist entry at it. This doesn't work with virtual stacks. Use ZERO_PAGE instead. Reported-by: Eric Biggers <ebiggers3@gmail.com> Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 620f1a632ebcc9811c2f8009ba52297c7006f805 upstream.

The driver put a constant buffer of all zeros on the stack and
pointed a scatterlist entry at it.  This doesn't work with virtual
stacks.  Use ZERO_PAGE instead.

Reported-by: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
wusb: fix error return code in wusb_prf() 2016-10-19T13:28:29+00:00 Wei Yongjun weiyongjun1@huawei.com 2016-10-19T13:19:02+00:00 1ee1710cd6bbf49853688e97d6e1d98b48f28586 Fix to return error code -ENOMEM from the kmalloc() error handling case instead of 0, as done elsewhere in this function. Fixes: a19b882c07a6 ("wusb: Stop using the stack for sg crypto scratch space") Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Fix to return error code -ENOMEM from the kmalloc() error handling
case instead of 0, as done elsewhere in this function.

Fixes: a19b882c07a6 ("wusb: Stop using the stack for sg crypto scratch space")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
wusb: Stop using the stack for sg crypto scratch space 2016-10-17T09:50:43+00:00 Andy Lutomirski luto@kernel.org 2016-10-06T17:25:38+00:00 a19b882c07a63174f09d1f7c036cc2aab7f04ad3 Pointing an sg list at the stack is verboten and, with CONFIG_VMAP_STACK=y, will malfunction. Use kmalloc for the wusb crypto stack space instead. Untested -- I'm not entirely convinced that this hardware exists in the wild. Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Pointing an sg list at the stack is verboten and, with
CONFIG_VMAP_STACK=y, will malfunction.  Use kmalloc for the wusb
crypto stack space instead.

Untested -- I'm not entirely convinced that this hardware exists in
the wild.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: wusbcore: add in missing white space in error message text 2016-09-13T15:24:24+00:00 Colin Ian King colin.king@canonical.com 2016-09-12T13:19:17+00:00 f409440703f302791f7ee209c4214d22ff9b7ec6 A dev_err message spans two lines and the literal string is missing a white space between words. Add the white space and reformat the message to not span multiple lines. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
A dev_err message spans two lines and the literal string is missing
a white space between words. Add the white space and reformat the
message to not span multiple lines.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: wusbcore: wa-nep: don't print on ENOMEM 2016-08-30T17:17:39+00:00 Wolfram Sang wsa-dev@sang-engineering.com 2016-08-25T17:39:36+00:00 84f11ce545d464828992036591bbcb78175d509f All kmalloc-based functions print enough information on failures. Signed-off-by: Wolfram Sang <wsa-dev@sang-engineering.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
All kmalloc-based functions print enough information on failures.

Signed-off-by: Wolfram Sang <wsa-dev@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: wusbcore: security: don't print on ENOMEM 2016-08-30T17:17:39+00:00 Wolfram Sang wsa-dev@sang-engineering.com 2016-08-25T17:39:35+00:00 d919523f97c97859be5d01fb964fd35d3acda489 All kmalloc-based functions print enough information on failures. Signed-off-by: Wolfram Sang <wsa-dev@sang-engineering.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
All kmalloc-based functions print enough information on failures.

Signed-off-by: Wolfram Sang <wsa-dev@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: wusbcore: crypto: don't print on ENOMEM 2016-08-30T17:17:39+00:00 Wolfram Sang wsa-dev@sang-engineering.com 2016-08-25T17:39:34+00:00 90b613864d414d3c8423fd8d58a956d89ef58770 All kmalloc-based functions print enough information on failures. Signed-off-by: Wolfram Sang <wsa-dev@sang-engineering.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
All kmalloc-based functions print enough information on failures.

Signed-off-by: Wolfram Sang <wsa-dev@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: wusbcore: wa-xfer: don't print error when allocating urb fails 2016-08-15T13:54:27+00:00 Wolfram Sang wsa-dev@sang-engineering.com 2016-08-11T21:22:46+00:00 ff7bbff3bc6f12dee4fc180a79c964c5c3eea8b2 kmalloc will print enough information in case of failure. Signed-off-by: Wolfram Sang <wsa-dev@sang-engineering.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
kmalloc will print enough information in case of failure.

Signed-off-by: Wolfram Sang <wsa-dev@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>