android_kernel_oneplus_msm8998/drivers/usb/misc
Greg Kroah-Hartman 62dd9cf78b usb: misc: legousbtower: Fix NULL pointer deference
commit 2fae9e5a7babada041e2e161699ade2447a01989 upstream.

This patch fixes a NULL pointer dereference caused by a race codition in
the probe function of the legousbtower driver. It re-structures the
probe function to only register the interface after successfully reading
the board's firmware ID.

The probe function does not deregister the usb interface after an error
receiving the devices firmware ID. The device file registered
(/dev/usb/legousbtower%d) may be read/written globally before the probe
function returns. When tower_delete is called in the probe function
(after an r/w has been initiated), core dev structures are deleted while
the file operation functions are still running. If the 0 address is
mappable on the machine, this vulnerability can be used to create a
Local Priviege Escalation exploit via a write-what-where condition by
remapping dev->interrupt_out_buffer in tower_write. A forged USB device
and local program execution would be required for LPE. The USB device
would have to delay the control message in tower_probe and accept
the control urb in tower_open whilst guest code initiated a write to the
device file as tower_delete is called from the error in tower_probe.

This bug has existed since 2003. Patch tested by emulated device.

Reported-by: James Patrick-Evans <james@jmp-e.com>
Tested-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-10-07 15:23:47 +02:00
..
sisusbvga USB: sisusb_con.c: move assignment out of if () block 2015-05-10 16:01:12 +02:00
adutux.c USB: adutux: NULL dereferences on disconnect 2014-11-26 19:50:15 -08:00
appledisplay.c USB: appledisplay: Deletion of a check before backlight_device_unregister() 2015-03-18 16:56:40 +01:00
chaoskey.c USB: chaoskey read offset bug 2015-10-04 11:01:13 +01:00
cypress_cy7c63.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
cytherm.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
ehset.c usb: ehci: Add support for SINGLE_STEP_SET_FEATURE test of EHSET 2013-08-12 13:13:32 -07:00
emi26.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
emi62.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
ezusb.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
ftdi-elan.c usb: misc: ftdi-elan: Simplify return statement 2015-08-05 12:37:21 -07:00
idmouse.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
iowarrior.c USB: iowarrior: fix oops with malicious USB descriptors 2016-04-12 09:08:41 -07:00
isight_firmware.c Merge branch 'usb-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb 2012-01-09 12:09:47 -08:00
Kconfig usb/misc: fix chaoskey build, needs HW_RANDOM 2015-04-03 19:03:15 +02:00
ldusb.c usb, HID: Remove Vernier devices from lsusb and hid_ignore_list 2015-06-01 14:44:08 +02:00
legousbtower.c usb: misc: legousbtower: Fix NULL pointer deference 2016-10-07 15:23:47 +02:00
lvstest.c Pratyush Anand has moved 2015-06-25 17:00:38 -07:00
Makefile usb: Add driver for Altus Metrum ChaosKey device (v2) 2015-03-26 10:47:11 +01:00
rio500.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
rio500_usb.h
trancevibrator.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
usb3503.c usb: misc: usb3503: Use i2c_add_driver helper macro 2015-10-24 19:53:53 -07:00
usb_u132.h
usblcd.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
usbled.c usb/misc/usbled: Add Riso Kagaku Webmail Notifier 2014-02-11 14:00:16 -08:00
usbsevseg.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
usbtest.c usb: misc: usbtest: add fix for driver hang 2016-09-07 08:32:38 +02:00
uss720.c USB: uss720.c: move assignment out of if () block 2015-05-10 16:01:12 +02:00
yurex.c usb: yurex: fixed sparse warning of incorrect type 2014-11-03 15:34:00 -08:00