Kernel oopses on access to address 0x8 when cdc-acm device is inserted with invalid descriptor.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HWE Next |
Fix Released
|
High
|
Adam Lee | ||
Trusty |
Fix Released
|
High
|
Adam Lee | ||
Utopic |
Fix Released
|
High
|
Adam Lee | ||
Vivid |
Fix Released
|
High
|
Adam Lee | ||
linux (Ubuntu) |
Fix Released
|
High
|
Adam Lee | ||
Trusty |
Fix Released
|
High
|
Adam Lee | ||
Utopic |
Fix Released
|
High
|
Adam Lee |
Bug Description
Invalid configuration descriptor as follows:
#+BEGIN_SRC text
0000 09 02 43 00 02 01 00 80 64 09 04 00 00 01 02 02 ..C.....d.......
0010 00 00 05 24 00 10 01 04 24 02 06 04 24 01 00 01 ...$....$...$...
0020 05 24 06 00 01 07 05 81 03 08 00 ff 09 04 01 00 .$..............
0030 02 0a 00 00 00 07 05 82 02 40 00 ff 07 05 01 02 .........@......
0040 20 00 ff ..
#+END_SRC text
In particular, the CDC Call Management Descriptor has its length
declared too short (4 instead of 5), and the following CDC Union
Descriptor is therefore unreachable.
*** Code problems:
1. The ~while (buflen > 0)~ loop that parses the interface aux data
does not perform correct boundary checking. In the above case,
~call_
(declared) descriptor content.
2. If a union header is missing, there is no code path that checks
whether the ~data_interface~ (resolved from ~call_interface
actually exists. Later ~if
(data_
~data_
ref: https:/
issue 2 was already fixed, issue 1's fix is in progress of upstream merging, open this bug to track.
Changed in hwe-next: | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Adam Lee (adam8157) |
Changed in linux (Ubuntu): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Utopic): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Utopic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Trusty): | |
assignee: | nobody → Adam Lee (adam8157) |
Changed in linux (Ubuntu Utopic): | |
assignee: | nobody → Adam Lee (adam8157) |
tags: |
added: verification-done-trusty verification-done-utopic removed: verification-needed-trusty verification-needed-utopic |
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
patch "cdc-acm: add sanity checks" added to usb-next