lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2023062945-fencing-pebble-0411@gregkh>
Date:   Thu, 29 Jun 2023 17:36:51 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     llvm@...ts.linux.dev, linux-kbuild@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org,
        Borislav Petkov <bp@...en8.de>, linux-usb@...r.kernel.org
Subject: UBSAN spat in valid xhci code in Linus's current tree (6.4+)

Hi Kees.

Boris just reported to me a UBSAN splat in the USB xhci driver in
Linus's tree that wasn't present in 6.4-final, and given that no USB
changes are merged yet there, I was confused.

Turns out, I think you all missed a "variable length" structure in the
xhci driver, which UBSAN is calling out a being an overrun, when really
it isn't (it's just written that way...)

The splat is:

UBSAN: array-index-out-of-bounds in drivers/usb/host/xhci-hub.c:231:31
index 1 is out of range for type '__le32 [1]'
CPU: 0 PID: 1556 Comm: kworker/0:2 Not tainted 6.4.0+ #7


And yes, the code there:
	ssp_cap->bmSublinkSpeedAttr[offset++] = cpu_to_le32(attr);

is accessing the ssp_cap->bmSublinkSpeedAttr field with is declared as:
	_le32 bmSublinkSpeedAttr[1]; /* list of sublink speed attrib entries */

in include/uapi/linux/usb/ch9.h

So perhaps 2d47c6956ab3 ("ubsan: Tighten UBSAN_BOUNDS on GCC") should be
reverted for now?  Or this field fixed up to properly be marked as a
variable length array of at least one entry?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ