Bug#568397: linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Bug#568397: linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface
- From: Simon Richter <sjr@debian.org>
- Date: Thu, 04 Feb 2010 15:51:32 +0100
- Message-id: <20100204145132.2552.22781.reportbug@richter>
- Reply-to: Simon Richter <sjr@debian.org>, 568397@bugs.debian.org
Package: linux-2.6
Version: 2.6.32-5
Severity: normal
Hi,
while playing with an USB device, I found that the kernel dereferences a
NULL pointer if a CDC ACM device declares to have no endpoints
associated with the CDC control interface. I believe the validity check
should be more stringent here.
The relevant bits of code look like this:
epctrl = &control_interface->cur_altsetting->endpoint[0].desc;
epread = &data_interface->cur_altsetting->endpoint[0].desc;
epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
No further verification except for swapped data endpoints is performed
afterwards.
Simon
-- Package-specific info:
** Version:
Linux version 2.6.32-trunk-amd64 (Debian 2.6.32-5) (ben@decadent.org.uk) (gcc version 4.3.4 (Debian 4.3.4-6) ) #1 SMP Sun Jan 10 22:40:40 UTC 2010
** Command line:
BOOT_IMAGE=/vmlinuz-2.6.32-trunk-amd64 root=/dev/mapper/richter-root ro quiet
** Not tainted
** Kernel log:
[11278.817700] cdc_acm 2-3:1.0: This device cannot do calls on its own. It is not a modem.
[11278.817743] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
[11278.817746] IP: [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm]
[11278.817756] PGD 600d1067 PUD 60086067 PMD 0
[11278.817760] Oops: 0000 [#1] SMP
[11278.817762] last sysfs file: /sys/devices/pci0000:00/0000:00:12.0/usb2/2-3/manufacturer
[11278.817765] CPU 0
[11278.817767] Modules linked in: radeon ttm drm_kms_helper drm agpgart i2c_algo_bit ppdev lp sco bridge stp rfcomm bnep l2cap crc16 powernow_k8 cpufreq_powersave cpufreq_userspace cpufreq_conservative cpufreq_stats binfmt_misc deflate zlib_deflat
ellia serpent blowfish cast5 des_generic cbc cryptd aes_x86_64 aes_generic xcbc rmd160 sha256_generic sha1_generic hmac crypto_null af_key fuse nfsd exportfs nfs lockd fscache nfs_acl auth_rpcgss sunrpc nls_utf8 cifs hwmon_vid loop dm_crypt snd_hd
altek snd_hda_intel snd_seq_midi snd_hda_codec snd_rawmidi snd_seq_midi_event snd_hwdep snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer usbhid pl2303 snd btusb shpchp cdc_acm i2c_piix4 hid usbserial parport_pc edac_core k8temp e
h soundcore parport i2c_core processor rfkill snd_page_alloc pcspkr evdev ext3 jbd mbcache dm_mod ide_cd_mod cdrom sd_mod crc_t10dif ata_generic ide_pci_gener
c ahci ohci_hcd ehci_hcd atiixp r8169 libata 8139too 8139cp mii floppy button ide_core usbcore nls_base scsi_mod thermal fan thermal_sys [last unloaded: scsi_wait_scan]
[11278.817841] Pid: 309, comm: khubd Not tainted 2.6.32-trunk-amd64 #1 GA-MA74GM-S2H
[11278.817843] RIP: 0010:[<ffffffffa02b9ca9>] [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm]
[11278.817849] RSP: 0018:ffff88006cea1930 EFLAGS: 00010293
[11278.817851] RAX: 0000000000000000 RBX: ffff880052c08800 RCX: 0000000000000000
[11278.817853] RDX: 0000000000000000 RSI: 00000000000080d0 RDI: ffff8800376ea000
[11278.817856] RBP: ffff8800376e9000 R08: 000000000000000c R09: ffff880062ae9888
[11278.817858] R10: 000080d0000000d0 R11: 00000000000186a0 R12: ffff880062ae9888
[11278.817860] R13: ffff880052c08000 R14: 0000000000000000 R15: ffff880052c08000
[11278.817863] FS: 00007f4dc9bf5910(0000) GS:ffff880001800000(0000) knlGS:0000000000000000
[11278.817866] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
[11278.817868] CR2: 0000000000000004 CR3: 0000000060157000 CR4: 00000000000006f0
[11278.817870] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[11278.817873] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[11278.817875] Process khubd (pid: 309, threadinfo ffff88006cea0000, task ffff88006cdff810)
[11278.817877] Stack:
[11278.817879] ffffffff813c7d84 ffff88006f5329a0 0000000000000000 ffffffff810fcb34
[11278.817882] <0> ffff880060130090 ffffffff8113cebf 0000000000000000 ffff880052c08800
[11278.817886] <0> 0000000000000000 ffff880062ae9840 ffff880060130000 ffffffff00000000
[11278.817890] Call Trace:
[11278.817897] [<ffffffff810fcb34>] ? iput+0x27/0x60
[11278.817902] [<ffffffff8113cebf>] ? sysfs_addrm_finish+0x66/0x204
[11278.817914] [<ffffffffa005975a>] ? usb_match_one_id+0x23/0x7f [usbcore]
[11278.817924] [<ffffffffa005a6dd>] ? usb_probe_interface+0x107/0x157 [usbcore]
[11278.817930] [<ffffffff8120e0e8>] ? driver_probe_device+0xa3/0x14b
[11278.817934] [<ffffffff8120e1ff>] ? __device_attach+0x0/0x39
[11278.817937] [<ffffffff8120d713>] ? bus_for_each_drv+0x46/0x77
[11278.817940] [<ffffffff8120e2bb>] ? device_attach+0x60/0x7e
[11278.817942] [<ffffffff8120d58b>] ? bus_probe_device+0x1f/0x38
[11278.817948] [<ffffffff8120c258>] ? device_add+0x3a2/0x537
[11278.817956] [<ffffffffa005942a>] ? usb_set_configuration+0x589/0x5f2 [usbcore]
[11278.817965] [<ffffffffa0060dac>] ? generic_probe+0x61/0xa9 [usbcore]
[11278.817969] [<ffffffff8120e0e8>] ? driver_probe_device+0xa3/0x14b
[11278.817972] [<ffffffff8120e1ff>] ? __device_attach+0x0/0x39
[11278.817975] [<ffffffff8120d713>] ? bus_for_each_drv+0x46/0x77
[11278.817978] [<ffffffff8120e2bb>] ? device_attach+0x60/0x7e
[11278.817981] [<ffffffff8120d58b>] ? bus_probe_device+0x1f/0x38
[11278.817986] [<ffffffff8120c258>] ? device_add+0x3a2/0x537
[11278.817993] [<ffffffffa00531ec>] ? usb_new_device+0x125/0x186 [usbcore]
[11278.818001] [<ffffffffa00548ec>] ? hub_thread+0xc19/0x1175 [usbcore]
[11278.818006] [<ffffffff81064aae>] ? autoremove_wake_function+0x0/0x2e
[11278.818014] [<ffffffffa0053cd3>] ? hub_thread+0x0/0x1175 [usbcore]
[11278.818017] [<ffffffff810647e1>] ? kthread+0x79/0x81
[11278.818021] [<ffffffff81011b6a>] ? child_rip+0xa/0x20
[11278.818024] [<ffffffff81064768>] ? kthread+0x0/0x81
[11278.818026] [<ffffffff81011b60>] ? child_rip+0x0/0x20
[11278.818028] Code: 33 9c 2b a0 ff 13 48 83 c3 08 48 83 3b 00 eb d8 48 85 ed b8 f4 ff ff ff 0f 84 ab 07 00 00 48 8b 54 24 40 31 c0 48 83 7c 24 68 02 <0f> b7 52 04 0f 95 c0 ff c0 89 44 24 60 89 54 24 5c 41 0f b7 44
[11278.818054] RIP [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm]
[11278.818058] RSP <ffff88006cea1930>
[11278.818060] CR2: 0000000000000004
[11278.818062] ---[ end trace ba11069b8b4d1dae ]---
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages linux-image-2.6.32-trunk-amd64 depends on:
ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii initramfs-tools [linux-initr 0.93.4 tools for generating an initramfs
ii module-init-tools 3.12~pre1-1 tools for managing Linux kernel mo
Versions of packages linux-image-2.6.32-trunk-amd64 recommends:
ii firmware-linux-free 2.6.32-6 Binary firmware for various driver
Versions of packages linux-image-2.6.32-trunk-amd64 suggests:
ii grub 0.97-60 GRand Unified Bootloader (dummy pa
pn linux-doc-2.6.32 <none> (no description available)
Versions of packages linux-image-2.6.32-trunk-amd64 is related to:
pn firmware-bnx2 <none> (no description available)
pn firmware-bnx2x <none> (no description available)
pn firmware-ipw2x00 <none> (no description available)
pn firmware-ivtv <none> (no description available)
pn firmware-iwlwifi <none> (no description available)
ii firmware-linux 0.22 Binary firmware for various driver
ii firmware-linux-nonfree 0.22 Binary firmware for various driver
pn firmware-qlogic <none> (no description available)
pn firmware-ralink <none> (no description available)
-- debconf information excluded
Reply to: