From patchwork Tue Mar  7 18:14:13 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Johan Hovold <johan@kernel.org>
X-Patchwork-Id: 39840
X-Patchwork-Delegate: sean@mess.org
Received: from mail.tu-berlin.de ([130.149.7.33])
	by www.linuxtv.org with esmtp (Exim 4.84_2)
	(envelope-from <linux-media-owner@vger.kernel.org>)
	id 1clJjC-00045B-42; Tue, 07 Mar 2017 18:20:54 +0000
X-tubIT-Incoming-IP: 209.132.180.67
Received: from vger.kernel.org ([209.132.180.67])
	by mail.tu-berlin.de (exim-4.84_2/mailfrontend-6) with esmtp
	id 1clJj9-0007UI-4j; Tue, 07 Mar 2017 19:20:53 +0100
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933010AbdCGSUJ (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other);
	Tue, 7 Mar 2017 13:20:09 -0500
Received: from mail-lf0-f65.google.com ([209.85.215.65]:32806 "EHLO
	mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932683AbdCGST6 (ORCPT
	<rfc822; linux-media@vger.kernel.org>); Tue, 7 Mar 2017 13:19:58 -0500
Received: by mail-lf0-f65.google.com with SMTP id r36so761532lfi.0;
	Tue, 07 Mar 2017 10:19:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=SaF1qj+nlt2nxgRpiMgYglVrAM3CpETx8td27+GFX/M=;
	b=CH+QOWJooAzjPVqJDkYmSANBK2f64KHSpcT3zBrg8aen4BHgg76tkOWW8C38bGV0FF
	1Qu09gWGo8pmPiegT91jdE4LB+uvd+bZBZxEGy14ZrkW50Xbvcx+bJFRHMgQpgQ01byU
	8103kJVED1ErPL8EzG/p4EN+gEl315gEUrXh9G3cnbcaiOjp/Poz/41zMs5sBRUckXVW
	D2YqcFs++ElboVyjZm8zo+g+DdjEc1UByjiE4xGK/jQDa15krJ7VnloJXx4c5keNq73N
	3xD68aroXWFKhnJyVs9cds/BDJBrXkSUCUlvFse+RRC1XuH7HiMpIsVNV1t4/2Y/9TOF
	B7FQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=SaF1qj+nlt2nxgRpiMgYglVrAM3CpETx8td27+GFX/M=;
	b=BTJ5SzEAH5WbqJCod7PiTJB1y4Ckrh42rSjXiz1GIfgZQU5oTiX0z8BfgjIj1sT+PY
	PC1chpMwbgRHBWj5eanZfyF9lz+H/A4x799aU5Igs/MWitI/n6qVL3exbaPIfmoL+fps
	nY/qLs1h8nLniWSJDmOcQfTDzFDiRlHr2QcSfH1iapoua8BLQlJ+/SFK+xfExIad/V9u
	4l6+4NT8jLzTXcwQaKoouRiHAfMtbs0vL5P2Nikf8RgpdjljdZ8YFy8K/cJQLJqLD/J1
	MFNmZCjg+YGr8mfJquI0jOFk6e5CeVlPFEhBQ9HuQkwGpxMn2SBQzi3Q55bZsd1v8X6b
	26UA==
X-Gm-Message-State: 
 AMke39m9GNYM3GvuLFFfjn91UnwKCK7AAQTowJ++27PB+nuncVIZFzu5nnuQcm0v01tnZA==
X-Received: by 10.25.221.195 with SMTP id w64mr448274lfi.31.1488910521961;
	Tue, 07 Mar 2017 10:15:21 -0800 (PST)
Received: from xi.terra ([84.216.234.102])
	by smtp.gmail.com with ESMTPSA id 1sm131927ljo.43.2017.03.07.10.15.20
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 07 Mar 2017 10:15:21 -0800 (PST)
Received: from johan by xi.terra with local (Exim 4.89_RC7)
	(envelope-from <johan@xi.terra>)
	id 1clJdm-0001tr-Jt; Tue, 07 Mar 2017 19:15:19 +0100
From: Johan Hovold <johan@kernel.org>
To: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Jarod Wilson <jarod@redhat.com>, linux-media@vger.kernel.org,
	linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	stable@vger.kernel.org, Johan Hovold <johan@kernel.org>
Subject: [PATCH] [media] mceusb: fix NULL-deref at probe
Date: Tue,  7 Mar 2017 19:14:13 +0100
Message-Id: <20170307181413.7264-1-johan@kernel.org>
X-Mailer: git-send-email 2.12.0
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409,
	Antispam-Data: 2017.3.7.181216
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report='
	MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05,
	BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_LESS 0,
	BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0,
	BODY_SIZE_7000_LESS 0, BODY_SIZE_900_999 0, DKIM_SIGNATURE 0,
	FROM_SAME_AS_TO_DOMAIN 0, LEGITIMATE_SIGNS 0,
	MULTIPLE_REAL_RCPTS 0, NO_URI_HTTPS 0, __ANY_URI 0,
	__CC_NAME 0, __CC_NAME_DIFF_FROM_ACC 0, __CC_REAL_NAMES 0,
	__FROM_DOMAIN_IN_ANY_CC2 0, __FROM_DOMAIN_IN_ANY_TO2 0,
	__FROM_DOMAIN_IN_RCPT 0, __HAS_CC_HDR 0, __HAS_FROM 0,
	__HAS_LIST_ID 0, __HAS_MSGID 0, __HAS_X_MAILER 0,
	__HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0, __MIME_TEXT_P 0,
	__MIME_TEXT_P1 0, __MULTIPLE_RCPTS_CC_X2 0,
	__NO_HTML_TAG_RAW 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0,
	__TO_MALFORMED_2 0, __TO_NAME 0, __TO_NAME_DIFF_FROM_ACC 0,
	__TO_REAL_NAMES 0, __TO_SAME_AS_FROM_DOMAIN 0, __URI_NO_WWW 0,
	__URI_NS , __YOUTUBE_RCVD 0'

Make sure to check for the required out endpoint to avoid dereferencing
a NULL-pointer in mce_request_packet should a malicious device lack such
an endpoint. Note that this path it hit during probe.

Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver")
Cc: stable <stable@vger.kernel.org>	# 2.6.36
Signed-off-by: Johan Hovold <johan@kernel.org>
---

Found through inspection, compile tested only.

Johan


 drivers/media/rc/mceusb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index 238d8eaf7d94..93b16fe3ab38 100644
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1288,8 +1288,8 @@ static int mceusb_dev_probe(struct usb_interface *intf,
 			}
 		}
 	}
-	if (ep_in == NULL) {
-		dev_dbg(&intf->dev, "inbound and/or endpoint not found");
+	if (!ep_in || !ep_out) {
+		dev_dbg(&intf->dev, "required endpoints not found\n");
 		return -ENODEV;
 	}