| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Feb 2018 22:10:30 +0800
From: wlf <wulf@...k-chips.com>
To: Jack Pham <jackp@...eaurora.org>,
William Wu <william.wu@...k-chips.com>
Cc: gregkh@...uxfoundation.org, felipe.balbi@...ux.intel.com,
linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
linux-rockchip@...ts.infradead.org, frank.wang@...k-chips.com,
huangtao@...k-chips.com, daniel.meng@...k-chips.com,
fml@...k-chips.com
Subject: Re: [PATCH] usb: gadget: f_fs: get the correct address of comp_desc
Hi Jack,
在 2018年02月06日 02:17, Jack Pham 写道:
> Hi William,
>
> On Mon, Feb 05, 2018 at 07:33:38PM +0800, William Wu wrote:
>> Refer to the USB 3.0 spec '9.6.7 SuperSpeed Endpoint Companion',
>> the companion descriptor follows the standard endpoint descriptor.
>> This descriptor is only defined for SuperSpeed endpoints. The
>> f_fs driver gets the address of the companion descriptor via
>> 'ds + USB_DT_ENDPOINT_SIZE', and actually, the ds variable is
>> a pointer to the struct usb_endpoint_descriptor, so the offset
>> of the companion descriptor which we get is USB_DT_ENDPOINT_SIZE *
>> sizeof(struct usb_endpoint_descriptor), the wrong offset is 63
>> bytes. This cause out-of-bound with the following error log if
>> CONFIG_KASAN and CONFIG_SLUB_DEBUG is enabled on Rockchip RK3399
>> Evaluation Board.
>>
>> android_work: sent uevent USB_STATE=CONNECTED
>> configfs-gadget gadget: super-speed config #1: b
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x230/0x398
>> Read of size 1 at addr ffffffc0ce2d0b10 by task irq/224-dwc3/364
>> Memory state around the buggy address:
>> ffffffc0ce2d0a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ffffffc0ce2d0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> >ffffffc0ce2d0b00: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ^
>> ffffffc0ce2d0b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffffffc0ce2d0c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ==================================================================
>> Disabling lock debugging due to kernel taint
>> android_work: sent uevent USB_STATE=CONFIGURED
>>
>> This patch adds struct usb_endpoint_descriptor * -> u8 * type conversion
>> for ds variable, then we can get the correct address of comp_desc
>> with offset USB_DT_ENDPOINT_SIZE bytes.
>>
>> Signed-off-by: William Wu <william.wu@...k-chips.com>
>> ---
>> drivers/usb/gadget/function/f_fs.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
>> index 6756472..f13ead0 100644
>> --- a/drivers/usb/gadget/function/f_fs.c
>> +++ b/drivers/usb/gadget/function/f_fs.c
>> @@ -1882,8 +1882,8 @@ static int ffs_func_eps_enable(struct ffs_function *func)
>> ep->ep->desc = ds;
>>
>> if (needs_comp_desc) {
>> - comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
>> - USB_DT_ENDPOINT_SIZE);
>> + comp_desc = (struct usb_ss_ep_comp_descriptor *)
>> + ((u8 *)ds + USB_DT_ENDPOINT_SIZE);
>> ep->ep->maxburst = comp_desc->bMaxBurst + 1;
>> ep->ep->comp_desc = comp_desc;
>> }
> Please see my alternative fix for this. I proposed changing this
> function to use config_ep_by_speed() instead.
>
> https://www.spinics.net/lists/linux-usb/msg165149.html
Thanks for your great job!
Your patch seems good, I will test your patch on my RK3399-EVB board.
William
>
> Jack
Powered by blists - more mailing lists