From 062a0edacf29e234b60d582dd38697793d8efb61 Mon Sep 17 00:00:00 2001
From: Adrian Stratulat <adrian.stratulat@enea.com>
Date: Wed, 30 Oct 2019 12:33:58 +0100
Subject: USB: usbtest: CVE-2017-16532

usb: usbtest: fix NULL pointer dereference

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-16532
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c80f9e4a588f1925b07134bb2e3689335f6c6d8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=8cf061d919e2102d0de0379bafea6cce1405d786

Change-Id: I988e0689224b6b5c0105fecf4e753516b8a9fe92
Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
---
 patches/cve/CVE-2017-16532.patch | 49 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 patches/cve/CVE-2017-16532.patch

(limited to 'patches/cve/CVE-2017-16532.patch')

diff --git a/patches/cve/CVE-2017-16532.patch b/patches/cve/CVE-2017-16532.patch
new file mode 100644
index 0000000..b72f9e2
--- /dev/null
+++ b/patches/cve/CVE-2017-16532.patch
@@ -0,0 +1,49 @@
+From 8cf061d919e2102d0de0379bafea6cce1405d786 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 29 Sep 2017 10:54:24 -0400
+Subject: usb: usbtest: fix NULL pointer dereference
+
+commit 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 upstream.
+
+If the usbtest driver encounters a device with an IN bulk endpoint but
+no OUT bulk endpoint, it will try to dereference a NULL pointer
+(out->desc.bEndpointAddress).  The problem can be solved by adding a
+missing test.
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=8cf061d919e2102d0de0379bafea6cce1405d786]
+CVE: CVE-2017-16532
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Adrian Stratulat <adrian.stratulat@enea.com>
+---
+ drivers/usb/misc/usbtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
+index d94927e5623b..e31f72b3a22c 100644
+--- a/drivers/usb/misc/usbtest.c
++++ b/drivers/usb/misc/usbtest.c
+@@ -182,12 +182,13 @@ found:
+ 			return tmp;
+ 	}
+ 
+-	if (in) {
++	if (in)
+ 		dev->in_pipe = usb_rcvbulkpipe(udev,
+ 			in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
++	if (out)
+ 		dev->out_pipe = usb_sndbulkpipe(udev,
+ 			out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
+-	}
++
+ 	if (iso_in) {
+ 		dev->iso_in = &iso_in->desc;
+ 		dev->in_iso_pipe = usb_rcvisocpipe(udev,
+-- 
+cgit 1.2-0.3.lf.el7
+
-- 
cgit v1.2.3-54-g00ecf