lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 02 Dec 2013 10:31:34 -0800
From:	David Cohen <david.a.cohen@...ux.intel.com>
To:	balbi@...com
CC:	gregkh@...uxfoundation.org, stern@...land.harvard.edu,
	mina86@...a86.com, linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6 5/5] usb: dwc3: implement gadget's quirk ep_out_align_size

On 11/25/2013 01:06 PM, Felipe Balbi wrote:
> Hi,
> 
> On Tue, Nov 12, 2013 at 01:04:46PM -0800, David Cohen wrote:
>> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
>> index 5452c0fce360..7c2d36f6ad4b 100644
>> --- a/drivers/usb/dwc3/gadget.c
>> +++ b/drivers/usb/dwc3/gadget.c
>> @@ -1130,6 +1130,14 @@ static int dwc3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request,
>>  	dev_vdbg(dwc->dev, "queing request %p to %s length %d\n",
>>  			request, ep->name, request->length);
>>  
>> +	/* If ep out, roundup request->length to epout maxpacketsize */
>> +	if (!(dep->number & 1)) {
> 
> we have a direction field in the dep structure, please use that.
> 
>> +		unsigned int aligned = roundup(request->length,
>> +					       ep->desc->wMaxPacketSize);
>> +		req->pad = aligned - request->length;
>> +		request->length = aligned;
> 
> this is quite dangerous. You really don't know the size that gadget
> driver allocated. What if we're using SLOB and gadget driver allocated
> exactly 31 bytes (think MSC's CBW) ? Then you change request->length to
> 512-bytes (or 1024 if USB SS), and host happens to be buggy (or
> exploited somehow) and sends more than 31-bytes ? You told dwc3 you
> could receive more than 31-bytes even though you don't know what follows
> your 31-byte buffer.
> 
> This is why I have been saying that gadget driver *must* be the one
> hadnling this issue based on the quirk flag.

Thanks. I've seen different point of views in this thread. Since you're
the maintainer, I'll resend the patch following your directions.

Br, David



Download attachment "signature.asc" of type "application/pgp-signature" (898 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ