Bug#568397: marked as done (linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface)

To: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Bug#568397: marked as done (linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 10 Jul 2013 15:37:06 +0000
Message-id: <[🔎] handler.568397.D568397.137347047730350.ackdone@bugs.debian.org>
References: <20130710153110.GC10653@inutil.org> <20100204145132.2552.22781.reportbug@richter>

Your message dated Wed, 10 Jul 2013 17:31:10 +0200
with message-id <20130710153110.GC10653@inutil.org>
and subject line Re: Bug#568397: linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface
has caused the Debian Bug report #568397,
regarding linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
568397: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568397
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface
From: Simon Richter <sjr@debian.org>
Date: Thu, 04 Feb 2010 15:51:32 +0100
Message-id: <20100204145132.2552.22781.reportbug@richter>

Package: linux-2.6
Version: 2.6.32-5
Severity: normal

Hi,

while playing with an USB device, I found that the kernel dereferences a
NULL pointer if a CDC ACM device declares to have no endpoints 
associated with the CDC control interface. I believe the validity check
should be more stringent here.

The relevant bits of code look like this:

        epctrl = &control_interface->cur_altsetting->endpoint[0].desc;
        epread = &data_interface->cur_altsetting->endpoint[0].desc;
        epwrite = &data_interface->cur_altsetting->endpoint[1].desc;

No further verification except for swapped data endpoints is performed
afterwards.

   Simon

-- Package-specific info:
** Version:
Linux version 2.6.32-trunk-amd64 (Debian 2.6.32-5) (ben@decadent.org.uk) (gcc version 4.3.4 (Debian 4.3.4-6) ) #1 SMP Sun Jan 10 22:40:40 UTC 2010

** Command line:
BOOT_IMAGE=/vmlinuz-2.6.32-trunk-amd64 root=/dev/mapper/richter-root ro quiet

** Not tainted

** Kernel log:
[11278.817700] cdc_acm 2-3:1.0: This device cannot do calls on its own. It is not a modem.
[11278.817743] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
[11278.817746] IP: [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm]
[11278.817756] PGD 600d1067 PUD 60086067 PMD 0 
[11278.817760] Oops: 0000 [#1] SMP 
[11278.817762] last sysfs file: /sys/devices/pci0000:00/0000:00:12.0/usb2/2-3/manufacturer
[11278.817765] CPU 0 
[11278.817767] Modules linked in: radeon ttm drm_kms_helper drm agpgart i2c_algo_bit ppdev lp sco bridge stp rfcomm bnep l2cap crc16 powernow_k8 cpufreq_powersave cpufreq_userspace cpufreq_conservative cpufreq_stats binfmt_misc deflate zlib_deflat
ellia serpent blowfish cast5 des_generic cbc cryptd aes_x86_64 aes_generic xcbc rmd160 sha256_generic sha1_generic hmac crypto_null af_key fuse nfsd exportfs nfs lockd fscache nfs_acl auth_rpcgss sunrpc nls_utf8 cifs hwmon_vid loop dm_crypt snd_hd
altek snd_hda_intel snd_seq_midi snd_hda_codec snd_rawmidi snd_seq_midi_event snd_hwdep snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer usbhid pl2303 snd btusb shpchp cdc_acm i2c_piix4 hid usbserial parport_pc edac_core k8temp e
h soundcore parport i2c_core processor rfkill snd_page_alloc pcspkr evdev ext3 jbd mbcache dm_mod ide_cd_mod cdrom sd_mod crc_t10dif ata_generic ide_pci_gener
c ahci ohci_hcd ehci_hcd atiixp r8169 libata 8139too 8139cp mii floppy button ide_core usbcore nls_base scsi_mod thermal fan thermal_sys [last unloaded: scsi_wait_scan]
[11278.817841] Pid: 309, comm: khubd Not tainted 2.6.32-trunk-amd64 #1 GA-MA74GM-S2H
[11278.817843] RIP: 0010:[<ffffffffa02b9ca9>]  [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm]
[11278.817849] RSP: 0018:ffff88006cea1930  EFLAGS: 00010293
[11278.817851] RAX: 0000000000000000 RBX: ffff880052c08800 RCX: 0000000000000000
[11278.817853] RDX: 0000000000000000 RSI: 00000000000080d0 RDI: ffff8800376ea000
[11278.817856] RBP: ffff8800376e9000 R08: 000000000000000c R09: ffff880062ae9888
[11278.817858] R10: 000080d0000000d0 R11: 00000000000186a0 R12: ffff880062ae9888
[11278.817860] R13: ffff880052c08000 R14: 0000000000000000 R15: ffff880052c08000
[11278.817863] FS:  00007f4dc9bf5910(0000) GS:ffff880001800000(0000) knlGS:0000000000000000
[11278.817866] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
[11278.817868] CR2: 0000000000000004 CR3: 0000000060157000 CR4: 00000000000006f0
[11278.817870] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[11278.817873] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[11278.817875] Process khubd (pid: 309, threadinfo ffff88006cea0000, task ffff88006cdff810)
[11278.817877] Stack:
[11278.817879]  ffffffff813c7d84 ffff88006f5329a0 0000000000000000 ffffffff810fcb34
[11278.817882] <0> ffff880060130090 ffffffff8113cebf 0000000000000000 ffff880052c08800
[11278.817886] <0> 0000000000000000 ffff880062ae9840 ffff880060130000 ffffffff00000000
[11278.817890] Call Trace:
[11278.817897]  [<ffffffff810fcb34>] ? iput+0x27/0x60
[11278.817902]  [<ffffffff8113cebf>] ? sysfs_addrm_finish+0x66/0x204
[11278.817914]  [<ffffffffa005975a>] ? usb_match_one_id+0x23/0x7f [usbcore]
[11278.817924]  [<ffffffffa005a6dd>] ? usb_probe_interface+0x107/0x157 [usbcore]
[11278.817930]  [<ffffffff8120e0e8>] ? driver_probe_device+0xa3/0x14b
[11278.817934]  [<ffffffff8120e1ff>] ? __device_attach+0x0/0x39
[11278.817937]  [<ffffffff8120d713>] ? bus_for_each_drv+0x46/0x77
[11278.817940]  [<ffffffff8120e2bb>] ? device_attach+0x60/0x7e
[11278.817942]  [<ffffffff8120d58b>] ? bus_probe_device+0x1f/0x38
[11278.817948]  [<ffffffff8120c258>] ? device_add+0x3a2/0x537
[11278.817956]  [<ffffffffa005942a>] ? usb_set_configuration+0x589/0x5f2 [usbcore]
[11278.817965]  [<ffffffffa0060dac>] ? generic_probe+0x61/0xa9 [usbcore]
[11278.817969]  [<ffffffff8120e0e8>] ? driver_probe_device+0xa3/0x14b
[11278.817972]  [<ffffffff8120e1ff>] ? __device_attach+0x0/0x39
[11278.817975]  [<ffffffff8120d713>] ? bus_for_each_drv+0x46/0x77
[11278.817978]  [<ffffffff8120e2bb>] ? device_attach+0x60/0x7e
[11278.817981]  [<ffffffff8120d58b>] ? bus_probe_device+0x1f/0x38
[11278.817986]  [<ffffffff8120c258>] ? device_add+0x3a2/0x537
[11278.817993]  [<ffffffffa00531ec>] ? usb_new_device+0x125/0x186 [usbcore]
[11278.818001]  [<ffffffffa00548ec>] ? hub_thread+0xc19/0x1175 [usbcore]
[11278.818006]  [<ffffffff81064aae>] ? autoremove_wake_function+0x0/0x2e
[11278.818014]  [<ffffffffa0053cd3>] ? hub_thread+0x0/0x1175 [usbcore]
[11278.818017]  [<ffffffff810647e1>] ? kthread+0x79/0x81
[11278.818021]  [<ffffffff81011b6a>] ? child_rip+0xa/0x20
[11278.818024]  [<ffffffff81064768>] ? kthread+0x0/0x81
[11278.818026]  [<ffffffff81011b60>] ? child_rip+0x0/0x20
[11278.818028] Code: 33 9c 2b a0 ff 13 48 83 c3 08 48 83 3b 00 eb d8 48 85 ed b8 f4 ff ff ff 0f 84 ab 07 00 00 48 8b 54 24 40 31 c0 48 83 7c 24 68 02 <0f> b7 52 04 0f 95 c0 ff c0 89 44 24 60 89 54 24 5c 41 0f b7 44 
[11278.818054] RIP  [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm]
[11278.818058]  RSP <ffff88006cea1930>
[11278.818060] CR2: 0000000000000004
[11278.818062] ---[ end trace ba11069b8b4d1dae ]---

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages linux-image-2.6.32-trunk-amd64 depends on:
ii  debconf [debconf-2.0]        1.5.28      Debian configuration management sy
ii  initramfs-tools [linux-initr 0.93.4      tools for generating an initramfs
ii  module-init-tools            3.12~pre1-1 tools for managing Linux kernel mo

Versions of packages linux-image-2.6.32-trunk-amd64 recommends:
ii  firmware-linux-free           2.6.32-6   Binary firmware for various driver

Versions of packages linux-image-2.6.32-trunk-amd64 suggests:
ii  grub                          0.97-60    GRand Unified Bootloader (dummy pa
pn  linux-doc-2.6.32              <none>     (no description available)

Versions of packages linux-image-2.6.32-trunk-amd64 is related to:
pn  firmware-bnx2                 <none>     (no description available)
pn  firmware-bnx2x                <none>     (no description available)
pn  firmware-ipw2x00              <none>     (no description available)
pn  firmware-ivtv                 <none>     (no description available)
pn  firmware-iwlwifi              <none>     (no description available)
ii  firmware-linux                0.22       Binary firmware for various driver
ii  firmware-linux-nonfree        0.22       Binary firmware for various driver
pn  firmware-qlogic               <none>     (no description available)
pn  firmware-ralink               <none>     (no description available)

-- debconf information excluded

--- End Message ---

--- Begin Message ---

To: 568397-done@bugs.debian.org

Cc: Simon Richter <sjr@debian.org>

Subject: Re: Bug#568397: linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface

From: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 10 Jul 2013 17:31:10 +0200

Message-id: <20130710153110.GC10653@inutil.org>

In-reply-to: <20100204224440.GA21665@decadent.org.uk>

References: <20100204145132.2552.22781.reportbug@richter> <20100204224440.GA21665@decadent.org.uk>
On Thu, Feb 04, 2010 at 10:44:41PM +0000, Ben Hutchings wrote:
> On Thu, Feb 04, 2010 at 03:51:32PM +0100, Simon Richter wrote:
> > Package: linux-2.6
> > Version: 2.6.32-5
> > Severity: normal
> > 
> > Hi,
> > 
> > while playing with an USB device, I found that the kernel dereferences a
> > NULL pointer if a CDC ACM device declares to have no endpoints 
> > associated with the CDC control interface. I believe the validity check
> > should be more stringent here.
> 
> I agree.  Let's see what upstream has to say.

This was fixed upstream in 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=577045c0a76e34294f902a7d5d60e90b04d094d0
and is thus present in stable.

It was also merged into 2.6.32.22 and is this also fixed in oldstable.

Cheers,
        Moritz
--- End Message ---

Reply to:

Prev by Date: Processed: Re: [3.2->3.3 regression] mceusb: only every second keypress is recognised
Next by Date: Bug#506614: marked as done (Lenny RC1: kernel hangs during boot)
Previous by thread: Bug#677727: [3.2->3.3 regression] mceusb: only every second keypress is recognised
Next by thread: Bug#506614: marked as done (Lenny RC1: kernel hangs during boot)
Index(es):
- Date
- Thread