can: etas_es58x: fix potential NULL pointer dereference on udev->serial

vincent-mailhol · marckleinebudde · commit a1ad2109ce41 · 2025-02-08T12:41:43.000+01:00
The driver assumed that es58x_dev->udev->serial could never be NULL. While this is true on commercially available devices, an attacker could spoof the device identity providing a NULL USB serial number. That would trigger a NULL pointer dereference. Add a check on es58x_dev->udev->serial before accessing it. Reported-by: yan kang <kangyan91@outlook.com> Reported-by: yue sun <samsun1006219@gmail.com> Closes: https://lore.kernel.org/linux-can/SY8P300MB0421E0013C0EBD2AA46BA709A1F42@SY8P300MB0421.AUSP300.PROD.OUTLOOK.COM/ Fixes: 9f06631 ("can: etas_es58x: export product information through devlink_ops::info_get()") Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr> Link: https://patch.msgid.link/20250204154859.9797-2-mailhol.vincent@wanadoo.fr Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
diff --git a/drivers/net/can/usb/etas_es58x/es58x_devlink.c b/drivers/net/can/usb/etas_es58x/es58x_devlink.c
@@ -248,7 +248,11 @@ static int es58x_devlink_info_get(struct devlink *devlink,
 			return ret;
 	}
 
-	return devlink_info_serial_number_put(req, es58x_dev->udev->serial);
+	if (es58x_dev->udev->serial)
+		ret = devlink_info_serial_number_put(req,
+						     es58x_dev->udev->serial);
+
+	return ret;
 }
 
 const struct devlink_ops es58x_dl_ops = {

Original file line number	Diff line number	Diff line change
`@@ -248,7 +248,11 @@ static int es58x_devlink_info_get(struct devlink *devlink,`
`248`	`248`	`return ret;`
`249`	`249`	`}`
`250`	`250`
`251`		`- return devlink_info_serial_number_put(req, es58x_dev->udev->serial);`
	`251`	`+ if (es58x_dev->udev->serial)`
	`252`	`+ ret = devlink_info_serial_number_put(req,`
	`253`	`+ es58x_dev->udev->serial);`
	`254`	`+`
	`255`	`+ return ret;`
`252`	`256`	`}`
`253`	`257`
`254`	`258`	`const struct devlink_ops es58x_dl_ops = {`