← Back to team overview

kernel-packages team mailing list archive

  1. kernel-packages team
  2. Mailing list archive
  3. Message #101754

[Bug 1413992] Re: Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.

  Thread PreviousDate PreviousThread Next 
** Changed in: linux (Ubuntu)
       Status: Triaged => In Progress

** Changed in: hwe-next/vivid
       Status: Triaged => In Progress

** Changed in: hwe-next/utopic
       Status: New => In Progress

** Changed in: hwe-next/trusty
       Status: New => In Progress

** Changed in: hwe-next/trusty
   Importance: Undecided => High

** Changed in: hwe-next/utopic
   Importance: Undecided => High

** Changed in: hwe-next/trusty
     Assignee: (unassigned) => Adam Lee (adam8157)

** Changed in: hwe-next/utopic
     Assignee: (unassigned) => Adam Lee (adam8157)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1413992

Title:
  Kernel oopses on access to address 0x8 when cdc-acm device is inserted
  with invalid descriptor.

Status in HWE Next Project:
  In Progress
Status in HWE Next trusty series:
  In Progress
Status in HWE Next utopic series:
  In Progress
Status in HWE Next vivid series:
  In Progress
Status in linux package in Ubuntu:
  In Progress

Bug description:
  Invalid configuration descriptor as follows:

  #+BEGIN_SRC text
  0000   09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02  ..C.....d.......
  0010   00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01  ...$....$...$...
  0020   05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00  .$..............
  0030   02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02  .........@......
  0040   20 00 ff                                          ..
  #+END_SRC text

  In particular, the CDC Call Management Descriptor has its length
  declared too short (4 instead of 5), and the following CDC Union
  Descriptor is therefore unreachable.

  *** Code problems:

  1. The ~while (buflen > 0)~ loop that parses the interface aux data
     does not perform correct boundary checking.  In the above case,
     ~call_interface_num = buffer[4];~ accesses outside of the
     (declared) descriptor content.
  2. If a union header is missing, there is no code path that checks
     whether the ~data_interface~ (resolved from ~call_interface_num~)
     actually exists.  Later ~if
     (data_interface->cur_altsetting->desc.bInterfaceClass~ dereferences
     ~data_interface~.

  ref: https://bugzilla.kernel.org/show_bug.cgi?id=83551

  issue 2 was already fixed, issue 1's fix is in progress of upstream
  merging, open this bug to track.

To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1413992/+subscriptions

References

  Thread PreviousDate PreviousThread Next