kernel-packages team mailing list archive

[Adam Lee <adam.lee@xxxxxxxxxxxxx>]

Public bug reported:

Invalid configuration descriptor as follows:

#+BEGIN_SRC text
0000   09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02  ..C.....d.......
0010   00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01  ...$....$...$...
0020   05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00  .$..............
0030   02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02  .........@......
0040   20 00 ff                                          ..
#+END_SRC text

In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.

*** Code problems:

1. The ~while (buflen > 0)~ loop that parses the interface aux data
   does not perform correct boundary checking.  In the above case,
   ~call_interface_num = buffer[4];~ accesses outside of the
   (declared) descriptor content.
2. If a union header is missing, there is no code path that checks
   whether the ~data_interface~ (resolved from ~call_interface_num~)
   actually exists.  Later ~if
   (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
   ~data_interface~.

ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551

issue 2 was already fixed, issue 1's fix is in progress of upstream
merging, open this bug to track.

** Affects: hwe-next
     Importance: High
     Assignee: Adam Lee (adam8157)
         Status: Triaged

** Affects: linux (Ubuntu)
     Importance: High
     Assignee: Adam Lee (adam8157)
         Status: Triaged

** Changed in: hwe-next
       Status: New => Triaged

** Changed in: hwe-next
   Importance: Undecided => High

** Changed in: hwe-next
     Assignee: (unassigned) => Adam Lee (adam8157)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992

Title:
  Kernel oopses on access to address 0x8 when cdc-acm device is inserted
  with invalid descriptor.

Status in HWE Next Project:
  Triaged
Status in linux package in Ubuntu:
  Triaged

Bug description:
  Invalid configuration descriptor as follows:

  #+BEGIN_SRC text
  0000   09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02  ..C.....d.......
  0010   00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01  ...$....$...$...
  0020   05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00  .$..............
  0030   02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02  .........@......
  0040   20 00 ff                                          ..
  #+END_SRC text

  In particular, the CDC Call Management Descriptor has its length
  declared too short (4 instead of 5), and the following CDC Union
  Descriptor is therefore unreachable.

  *** Code problems:

  1. The ~while (buflen > 0)~ loop that parses the interface aux data
     does not perform correct boundary checking.  In the above case,
     ~call_interface_num = buffer[4];~ accesses outside of the
     (declared) descriptor content.
  2. If a union header is missing, there is no code path that checks
     whether the ~data_interface~ (resolved from ~call_interface_num~)
     actually exists.  Later ~if
     (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
     ~data_interface~.

  ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551

  issue 2 was already fixed, issue 1's fix is in progress of upstream
  merging, open this bug to track.

To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions