linux/drivers/usb/misc
Greg Kroah-Hartman 2fae9e5a7b usb: misc: legousbtower: Fix NULL pointer deference
This patch fixes a NULL pointer dereference caused by a race codition in
the probe function of the legousbtower driver. It re-structures the
probe function to only register the interface after successfully reading
the board's firmware ID.

The probe function does not deregister the usb interface after an error
receiving the devices firmware ID. The device file registered
(/dev/usb/legousbtower%d) may be read/written globally before the probe
function returns. When tower_delete is called in the probe function
(after an r/w has been initiated), core dev structures are deleted while
the file operation functions are still running. If the 0 address is
mappable on the machine, this vulnerability can be used to create a
Local Priviege Escalation exploit via a write-what-where condition by
remapping dev->interrupt_out_buffer in tower_write. A forged USB device
and local program execution would be required for LPE. The USB device
would have to delay the control message in tower_probe and accept
the control urb in tower_open whilst guest code initiated a write to the
device file as tower_delete is called from the error in tower_probe.

This bug has existed since 2003. Patch tested by emulated device.

Reported-by: James Patrick-Evans <james@jmp-e.com>
Tested-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-09-21 18:31:18 +02:00
..
sisusbvga usb: misc: sisusbvga: sisusb: don't print error when allocating urb fails 2016-08-15 15:54:27 +02:00
Kconfig usb: misc: Add driver for usb4604 2016-08-09 15:49:01 +02:00
Makefile usb: misc: Add driver for usb4604 2016-08-09 15:49:01 +02:00
adutux.c usb: misc: adutux: don't print on ENOMEM 2016-08-30 19:17:37 +02:00
appledisplay.c usb: misc: appledisplay: don't print on ENOMEM 2016-08-30 19:17:37 +02:00
chaoskey.c hwrng: chaoskey - Fix URB warning due to timeout on Alea 2016-06-07 18:42:44 +08:00
cypress_cy7c63.c usb: misc: cypress_cy7c63: don't print on ENOMEM 2016-08-30 19:17:37 +02:00
cytherm.c usb: misc: cytherm: don't print on ENOMEM 2016-08-30 19:17:38 +02:00
ehset.c usb: ehci: Add support for SINGLE_STEP_SET_FEATURE test of EHSET 2013-08-12 13:13:32 -07:00
emi26.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
emi62.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
ezusb.c ezusb: constify local structures 2016-09-13 17:24:24 +02:00
ftdi-elan.c usb: misc: ftdi-elan: don't print on ENOMEM 2016-08-30 19:17:38 +02:00
idmouse.c usb: misc: idmouse: don't print on ENOMEM 2016-08-30 19:17:38 +02:00
iowarrior.c usb: misc: iowarrior: don't print on ENOMEM 2016-08-30 19:17:38 +02:00
isight_firmware.c Merge branch 'usb-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb 2012-01-09 12:09:47 -08:00
ldusb.c usb: misc: ldusb: don't print on ENOMEM 2016-08-30 19:17:38 +02:00
legousbtower.c usb: misc: legousbtower: Fix NULL pointer deference 2016-09-21 18:31:18 +02:00
lvstest.c usb: misc: lvstest: don't print on ENOMEM 2016-08-30 19:17:38 +02:00
rio500.c usb: delete non-required instances of include <linux/init.h> 2014-01-08 15:01:39 -08:00
rio500_usb.h
trancevibrator.c usb: misc: trancevibrator: don't print on ENOMEM 2016-08-30 19:17:38 +02:00
ucsi.c usb: Add driver for UCSI 2016-04-29 15:29:18 -07:00
ucsi.h usb: Add driver for UCSI 2016-04-29 15:29:18 -07:00
usb3503.c usb: misc: usb3503: Clean up on driver unbind 2016-06-07 22:19:59 -07:00
usb4604.c usb: misc: Add driver for usb4604 2016-08-09 15:49:01 +02:00
usb_u132.h
usblcd.c usb: misc: usblcd: don't print on ENOMEM 2016-08-30 19:17:38 +02:00
usbsevseg.c usb: misc: usbsevseg: don't print on ENOMEM 2016-08-30 19:17:38 +02:00
usbtest.c usb: misc: usbtest: add fix for driver hang 2016-08-11 18:31:51 +02:00
uss720.c usb: misc: uss720: don't print on ENOMEM 2016-08-30 19:17:38 +02:00
yurex.c usb: misc: yurex: don't print on ENOMEM 2016-08-30 19:17:38 +02:00