kernel_optimize_test/drivers
Greg Kroah-Hartman 2fae9e5a7b usb: misc: legousbtower: Fix NULL pointer deference
This patch fixes a NULL pointer dereference caused by a race codition in
the probe function of the legousbtower driver. It re-structures the
probe function to only register the interface after successfully reading
the board's firmware ID.

The probe function does not deregister the usb interface after an error
receiving the devices firmware ID. The device file registered
(/dev/usb/legousbtower%d) may be read/written globally before the probe
function returns. When tower_delete is called in the probe function
(after an r/w has been initiated), core dev structures are deleted while
the file operation functions are still running. If the 0 address is
mappable on the machine, this vulnerability can be used to create a
Local Priviege Escalation exploit via a write-what-where condition by
remapping dev->interrupt_out_buffer in tower_write. A forged USB device
and local program execution would be required for LPE. The USB device
would have to delay the control message in tower_probe and accept
the control urb in tower_open whilst guest code initiated a write to the
device file as tower_delete is called from the error in tower_probe.

This bug has existed since 2003. Patch tested by emulated device.

Reported-by: James Patrick-Evans <james@jmp-e.com>
Tested-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-09-21 18:31:18 +02:00
..
accessibility
acpi Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm 2016-09-10 09:58:52 -07:00
amba
android Revert "android: binder: fix dangling pointer comparison" 2016-08-18 17:21:37 +02:00
ata pata_ninja32: Avoid corrupting status flags 2016-08-30 11:59:47 -04:00
atm drivers: atm: nicstar: Use the correct function to free some resources 2016-07-19 11:30:26 -07:00
auxdisplay
base PM / runtime: Use _rcuidle for runtime suspend tracepoints 2016-09-16 02:59:58 +02:00
bcma wireless-drivers-next patches for 4.8 2016-07-25 11:09:19 -07:00
block Revert "floppy: refactor open() flags handling" 2016-08-25 08:56:51 -06:00
bluetooth Bluetooth: btmrvl: reset is_suspending flag in failure path 2016-07-18 10:13:02 +02:00
bus arm-cci: pmu: Fix typo in event name 2016-09-07 21:24:42 -07:00
cdrom cdrom: support read sub-channel command in LBA format 2016-07-12 08:24:50 -07:00
char virtio: fixes for 4.8 2016-09-09 14:52:05 -07:00
clk Clock Fixes for the Allwinner SoCs, 4.8 Edition 2016-09-08 12:54:24 -07:00
clocksource clocksource/drivers/atmel-pit: Fix compilation error 2016-08-29 09:51:39 +02:00
connector connector: make cn_proc explicitly non-modular 2016-07-05 11:40:47 -07:00
cpufreq cpufreq: dt: Add terminate entry for of_device_id tables 2016-08-31 02:49:05 +02:00
cpuidle powerpc updates for 4.8 # 1 2016-07-30 21:01:36 -07:00
crypto crypto: caam - fix IV loading for authenc (giv)decryption 2016-08-31 22:50:42 +08:00
dax dax: fix mapping size check 2016-09-03 10:40:57 -07:00
dca
devfreq PM / devfreq: exynos-bus: add missing of_node_put after calling of_parse_phandle 2016-07-06 13:11:24 +09:00
dio
dma dmaengine: img-mdc: fix a possible NULL dereference 2016-08-22 11:57:49 +05:30
dma-buf dma-buf: Release module reference on creation failure 2016-07-18 14:10:49 +02:00
edac EDAC, skx_edac: Add EDAC driver for Skylake 2016-08-21 10:58:34 -07:00
eisa
extcon Merge branch 'next' into resolution 2016-09-15 16:45:20 +05:30
firewire
firmware Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-09-13 12:02:00 -07:00
fmc
fpga drivers/fpga/Kconfig: fix build failure 2016-08-04 08:50:07 -04:00
gpio gpio: sa1100: fix irq probing for ucb1x00 2016-09-08 00:42:57 +02:00
gpu This pull request brings in a fix for crashes in X on VC4. 2016-09-17 07:57:55 +10:00
hid Merge branch 'for-4.8/hid-led' into for-linus 2016-07-28 10:49:23 +02:00
hsi
hv
hwmon hwmon: (it87) Add missing sysfs attribute group terminator 2016-08-29 05:31:31 -07:00
hwspinlock hwspinlock: qcom_hwspinlock: add missing of_node_put after calling of_parse_phandle 2016-07-06 12:20:34 -07:00
hwtracing Merge branch 'smp-hotplug-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-07-29 13:55:30 -07:00
i2c i2c: rk3x: Restore clock settings at resume time 2016-09-08 22:50:33 +02:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide 2016-07-29 13:29:06 -07:00
idle Merge branch 'x86-cpu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-07-30 12:56:26 -07:00
iio Second set of IIO fixes for the 4.8 cycle. 2016-09-09 13:44:37 +02:00
infiniband Round three of 4.8 rc fixes 2016-09-16 13:51:42 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2016-08-26 18:36:23 -07:00
iommu Merge branch 'for-joerg/arm-smmu/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/will/linux into iommu/fixes 2016-08-22 12:33:56 +02:00
ipack
irqchip irqchip/atmel-aic: Fix potential deadlock in ->xlate() 2016-09-13 16:57:40 +02:00
isdn
leds powerpc updates for 4.8 # 1 2016-07-30 21:01:36 -07:00
lguest
lightnvm block: get rid of bio_rw and READA 2016-07-20 17:37:01 -06:00
macintosh drivers/macintosh: Delete owner assignment 2016-08-22 11:09:33 +10:00
mailbox fix📫bcm-pdc-mailbox:mark symbols static where possible 2016-08-29 18:43:39 +05:30
mcb
md Merge tag 'md/4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2016-09-13 11:19:52 -07:00
media media: usb: zr364xx: zr364xx: don't print error when allocating urb fails 2016-08-30 19:13:55 +02:00
memory memory: omap-gpmc: allow probe of child nodes to fail 2016-08-08 11:18:40 +03:00
memstick memstick: don't allocate unused major for ms_block 2016-08-02 17:31:41 -04:00
message
mfd ARM: SoC driver updates for v4.8 2016-08-01 18:36:01 -04:00
misc lkdtm: adjust usercopy tests to bypass const checks 2016-09-06 12:17:30 -07:00
mmc mmc: omap: Initialize dma_slave_config to avoid random data in it's fields 2016-09-14 13:59:33 +02:00
mtd This pull request contains mostly cleanups and minor 2016-08-04 19:51:49 -04:00
net net/mlx4_en: Fix panic on xmit while port is down 2016-09-11 19:40:26 -07:00
nfc NFC 4.8 pull request 2016-07-20 23:39:36 -07:00
ntb NTB: ntb_hw_intel: use local variable pdev 2016-08-05 10:34:13 -04:00
nubus
nvdimm libnvdimm: allow legacy (e820) pmem region to clear bad blocks 2016-09-09 17:34:46 -07:00
nvme Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2016-09-15 13:22:59 -07:00
nvmem
of of: fix reference counting in of_graph_get_endpoint_by_regs 2016-08-15 11:15:05 -05:00
oprofile
parisc dma-mapping: use unsigned long for dma_attrs 2016-08-04 08:50:07 -04:00
parport
pci PCI updates for v4.8: 2016-09-14 14:06:30 -07:00
pcmcia pcmcia: lubbock: fix sockets configuration 2016-09-12 10:57:01 +01:00
perf drivers/perf: arm_pmu: Fix NULL pointer dereference during probe 2016-09-02 17:17:52 +01:00
phy phy-twl4030-usb: initialize charging-related stuff via pm_runtime 2016-09-14 10:59:12 +05:30
pinctrl pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33 2016-08-23 12:28:31 +02:00
platform intel_pmic_gpio: Make explicitly non-modular 2016-08-28 22:31:52 -07:00
pnp PNP: pnpbios: add header file to fix build errors 2016-07-27 18:52:54 +02:00
power power_supply: tps65217-charger: fix missing platform_set_drvdata() 2016-08-15 23:10:44 +02:00
powercap
pps pps: do not crash when failed to register 2016-07-23 10:25:54 +09:00
ps3
ptp
pwm pwm: Changes for v4.8-rc1 2016-08-06 00:01:33 -04:00
rapidio rapidio/tsi721: fix incorrect detection of address translation condition 2016-09-01 17:52:02 -07:00
ras
regulator Merge remote-tracking branches 'regulator/fix/email' and 'regulator/fix/qcom-smd' into regulator-linus 2016-09-06 12:31:34 +01:00
remoteproc dma-mapping: use unsigned long for dma_attrs 2016-08-04 08:50:07 -04:00
reset
rpmsg
rtc RTC for 4.8 2016-08-05 09:48:22 -04:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2016-08-16 15:50:22 -07:00
sbus
scsi SCSI fixes on 20160906 2016-09-06 11:06:52 -07:00
sfi
sh
sn
soc ARM: SoC driver updates for v4.8 2016-08-01 18:36:01 -04:00
spi Merge remote-tracking branches 'spi/fix/lock', 'spi/fix/maintainers', 'spi/fix/put', 'spi/fix/pxa2xx', 'spi/fix/sh-msiof' and 'spi/fix/timeout' into spi-linus 2016-09-06 12:32:09 +01:00
spmi
ssb SSB: Change bare unsigned to unsigned int to suit coding style 2016-07-06 15:09:36 +02:00
staging First round of IIO fixes for the 4.8 cycle. 2016-08-23 17:39:31 -04:00
target target: iblock_execute_sync_cache() should use bio_set_op_attrs() 2016-08-07 14:41:02 -06:00
tc
thermal thermal: rcar_thermal: Fix priv->zone error handling 2016-09-06 20:46:06 +08:00
thunderbolt thunderbolt: Don't declare Falcon Ridge unsupported 2016-08-31 13:25:02 +02:00
tty serial: 8250: added acces i/o products quad and octal serial cards 2016-08-31 16:28:26 +02:00
uio
usb usb: misc: legousbtower: Fix NULL pointer deference 2016-09-21 18:31:18 +02:00
uwb uwb: hwa-rc: don't print error when allocating urb fails 2016-08-15 15:52:40 +02:00
vfio vfio/pci: Fix NULL pointer oops in error interrupt setup handling 2016-08-08 16:16:23 -06:00
vhost vhost/scsi: fix reuse of &vq->iov[out] in response 2016-08-23 17:16:57 +03:00
video dma-mapping: use unsigned long for dma_attrs 2016-08-04 08:50:07 -04:00
virt
virtio virtio: mark vring_dma_dev() static 2016-09-09 21:12:35 +03:00
vlynq
vme
w1 w1:omap_hdq: fix regression 2016-08-02 19:35:40 -04:00
watchdog watchdog: pcwd_usb: don't print error when allocating urb fails 2016-08-30 19:13:55 +02:00
xen xenbus: don't look up transaction IDs for ordinary writes 2016-08-24 18:16:18 +01:00
zorro
Kconfig
Makefile virtio/vhost: new features for 4.8 2016-08-06 09:20:13 -04:00