lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 7 Oct 2014 12:57:13 -0500
From:	Felipe Balbi <balbi@...com>
To:	Alan Stern <stern@...land.harvard.edu>
CC:	Felipe Balbi <balbi@...com>,
	Krzysztof Opasiak <k.opasiak@...sung.com>,
	"'Robert Baldyga'" <r.baldyga@...sung.com>,
	<gregkh@...uxfoundation.org>, <linux-usb@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>, <mina86@...a86.com>,
	<andrzej.p@...sung.com>
Subject: Re: [PATCH] usb: gadget: f_fs: add "zombie" mode

Hi,

On Tue, Oct 07, 2014 at 01:15:32PM -0400, Alan Stern wrote:
> > > Here also I agree. Zombie mode should "mock" the function until first
> > > next enumeration or unbind. It should not be possible to bind gadget
> > > with function in zombie mode to UDC. Zombie mode should "pretend" only
> > > as long as gadget is bound and enumerated.
> > 
> > Not really. We shouldn't even coonect to host until adbd is running.
> > Now, when adbd crashes we fix adbd. If it gets killed due to OOM we
> > can't even say "ok, we'll buffer USB requests until adbd is restarted"
> > because, well, we're running out of memory.
> > 
> > So, OOM we can't fix. Soon enough, another daemon (mtpd, ptpd, whatever)
> > will be killed and another function will be left unusable.
> > 
> > As for adbd/mtpd/ptpd crashes, those need to fixed and kernel should not
> > have to deal with them in any way.
> 
> It seems to me that we should imitate what an ordinary USB device would
> do.  If part of the firmware crashes, generally you would expect none
> of the endpoints associated with that function to work.  Either they
> refuse to accept output from the host or they stall everything.  But
> endpoints associated with other parts of the firmware might very well
> continue to work okay.

dunno, I have never seen a USB device firmware crash and I don't think
anybody deliberately does anything to make sure other parts of the
device work. If it _does_ work, I'd assume it's really by chance.

> Don't buffer requests.  Either allow the internal FIFOs to fill up or
> else reject everything.  Any reasonable host will start getting timeout
> expirations and will realize that something is wrong.

Right, but if we allow this, I can already see folks abusing to connect
to the host early and only when necessary do some trickery to e.g. start
adbd (not saying Android will do this, just using it as an easy
example).

Sure, we can deactivate and only activate when files are opened but is
there any guarantee that when a process receives segfault that we will
have, from FFS point of view, any information to know that the thing
crashed ? I mean, a userland application can register its own handler
for SIGSEGV/SIGKILL, right ? And that handler could very well just call
close() on all file descriptors. Then how do we differentiate a normal
close() from a "oh-crap-I-died" close() ?

-- 
balbi

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists