1. Patchew
  2. linux
  3. View series

[PATCH] can: etas_es58x: fix potential NULL pointer dereference on udev->serial

Vincent Mailhol posted 1 patch 10 months, 1 week ago 
drivers/net/can/usb/etas_es58x/es58x_devlink.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
[PATCH] can: etas_es58x: fix potential NULL pointer dereference on udev->serial
Posted by Vincent Mailhol 10 months, 1 week ago 
The driver assumed that es58x_dev->udev->serial could never be NULL.
While this is true on commercially available devices, an attacker
could spoof the device identity providing a NULL USB serial number.
That would trigger a NULL pointer dereference.

Add a check on es58x_dev->udev->serial before accessing it.

Reported-by: yan kang <kangyan91@outlook.com>
Reported-by: yue sun <samsun1006219@gmail.com>
Closes: https://lore.kernel.org/linux-can/SY8P300MB0421E0013C0EBD2AA46BA709A1F42@SY8P300MB0421.AUSP300.PROD.OUTLOOK.COM/
Fixes: 9f06631c3f1f ("can: etas_es58x: export product information through devlink_ops::info_get()")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
---
 drivers/net/can/usb/etas_es58x/es58x_devlink.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/can/usb/etas_es58x/es58x_devlink.c b/drivers/net/can/usb/etas_es58x/es58x_devlink.c
index eee20839d96f..0d155eb1b9e9 100644
--- a/drivers/net/can/usb/etas_es58x/es58x_devlink.c
+++ b/drivers/net/can/usb/etas_es58x/es58x_devlink.c
@@ -248,7 +248,11 @@ static int es58x_devlink_info_get(struct devlink *devlink,
 			return ret;
 	}
 
-	return devlink_info_serial_number_put(req, es58x_dev->udev->serial);
+	if (es58x_dev->udev->serial)
+		ret = devlink_info_serial_number_put(req,
+						     es58x_dev->udev->serial);
+
+	return ret;
 }
 
 const struct devlink_ops es58x_dl_ops = {
-- 
2.45.3
Re: [PATCH] can: etas_es58x: fix potential NULL pointer dereference on udev->serial
Posted by Marc Kleine-Budde 10 months, 1 week ago 
On 05.02.2025 00:48:15, Vincent Mailhol wrote:
> The driver assumed that es58x_dev->udev->serial could never be NULL.
> While this is true on commercially available devices, an attacker
> could spoof the device identity providing a NULL USB serial number.
> That would trigger a NULL pointer dereference.
> 
> Add a check on es58x_dev->udev->serial before accessing it.
> 
> Reported-by: yan kang <kangyan91@outlook.com>
> Reported-by: yue sun <samsun1006219@gmail.com>
> Closes: https://lore.kernel.org/linux-can/SY8P300MB0421E0013C0EBD2AA46BA709A1F42@SY8P300MB0421.AUSP300.PROD.OUTLOOK.COM/
> Fixes: 9f06631c3f1f ("can: etas_es58x: export product information through devlink_ops::info_get()")
> Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>

Applied to linux-can.

Thanks,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde          |
Embedded Linux                   | https://www.pengutronix.de |
Vertretung Nürnberg              | Phone: +49-5121-206917-129 |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-9   |

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.