net: usb: pegasus: validate USB endpoints

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The pegasus driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.

Cc: Petko Manolov <petkan@nucleusys.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022347-legibly-attest-cc5c@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Greg Kroah-Hartman and committed by

Jakub Kicinski 3 months ago 11de1d3a 12133a48

+12 -1

1 changed file

expand all

drivers

net

usb

pegasus.c

+12 -1

drivers/net/usb/pegasus.c

··· 812 812 813 813 static int alloc_urbs(pegasus_t *pegasus) 814 814 { 815 + static const u8 bulk_ep_addr[] = { 816 + 1 | USB_DIR_IN, 817 + 2 | USB_DIR_OUT, 818 + 0}; 819 + static const u8 int_ep_addr[] = { 820 + 3 | USB_DIR_IN, 821 + 0}; 815 822 int res = -ENOMEM; 823 + 824 + if (!usb_check_bulk_endpoints(pegasus->intf, bulk_ep_addr) || 825 + !usb_check_int_endpoints(pegasus->intf, int_ep_addr)) 826 + return -ENODEV; 816 827 817 828 pegasus->rx_urb = usb_alloc_urb(0, GFP_KERNEL); 818 829 if (!pegasus->rx_urb) { ··· 1179 1168 1180 1169 pegasus = netdev_priv(net); 1181 1170 pegasus->dev_index = dev_index; 1171 + pegasus->intf = intf; 1182 1172 1183 1173 res = alloc_urbs(pegasus); 1184 1174 if (res < 0) { ··· 1191 1179 1192 1180 INIT_DELAYED_WORK(&pegasus->carrier_check, check_carrier); 1193 1181 1194 - pegasus->intf = intf; 1195 1182 pegasus->usb = dev; 1196 1183 pegasus->net = net; 1197 1184

Configure Feed

Configure Feed