On Tue, Feb 04, 2020 at 11:14:35AM +0100, Johan Hovold wrote:
On Tue, Feb 04, 2020 at 10:02:32AM +0000, Greg Kroah-Hartman wrote:
On Tue, Feb 04, 2020 at 09:24:41AM +0100, Johan Hovold wrote:
On Tue, Dec 10, 2019 at 12:37:31PM +0100, Johan Hovold wrote:
The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could be used by a malicious device (or USB descriptor fuzzer) to trigger a NULL-pointer dereference.
Looks like the stable tag was removed when this one was applied, and similar for patches 2, 4 and 7 of this series (commits 3111491fca4f, a8eeb74df5a6, 6b32391ed675 upstream).
While the last three are mostly an issue for the syzbot fuzzer, we have started backporting those as well.
This one (bcfcb7f9b480) is more clear cut as it can be used to trigger a NULL-deref.
I only noticed because Sasha picked up one of the other patches in the series which was never intended for stable.
Did I end up catching all of these properly? I've had to expand my search for some patches like this that do not explicitly have the cc: stable mark on them as not all subsystems do this well (if at all.)
No, sorry, should have been more clear on that point; these four were never picked up for stable it seems.
I was a bit surprised to see the stable-tags be removed from the original submissions here, even if I know the net-maintainers do this routinely, and any maintainer can of course override a submitters judgement.
Sorry, dropping stable tags was not intentional. I was trying to improve my tooling and drop the CC noise from the changelogs, but my script got too eager and removed "Cc: stable" as well. I believe my tool should be fixed now and it should not happen again.