lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <5739.1463521960@turing-police.cc.vt.edu>
Date:	Tue, 17 May 2016 17:52:40 -0400
From:	Valdis Kletnieks <Valdis.Kletnieks@...edu>
To:	Alan Stern <stern@...land.harvard.edu>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:	linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org
Subject: UBSAN whinge in ihci-hub.c

So, not content in the amount of breakage I generate already, I
compiled with UBSAN enabled...

The immediately relevant part:

[    2.418576] ================================================================================
[    2.418579] UBSAN: Undefined behaviour in drivers/usb/host/ehci-hub.c:877:47
[    2.418582] index -1 is out of range for type 'u32 [1]'

The code there:

    875         u32 __iomem     *status_reg = &ehci->regs->port_status[
    876                                 (wIndex & 0xff) - 1];
    877         u32 __iomem     *hostpc_reg = &ehci->regs->hostpc[(wIndex & 0xff) - 1];
    878         u32             temp, temp1, status;

I'm guessing that the only reason that port_status[] didn't throw an error
because that's declared as 'u32 port_status[0]' with a 'u32 reserved3[9]'
behind it, while it's 'u32 hostpc[1]'.   So we have (possibly) 2 bugs:

1) hostpc should possibly be a 'u32 hostpc[0]'  I'd attach a patch, except
I'm low on caffeine and unsure if the 'u32 reserved5[16]' that follows needs
to be a [17] to compensate.  Either that, or port_status[] and hostpc[]
should *both* be explicitly sized so range-checking works better.

2) We need to figure out who passed a 0 wIndex down the stack, resulting in
the busted indexing...

The entire splat:

[    2.418567] hub 1-0:1.0: USB hub found
[    2.418576] ================================================================================
[    2.418579] UBSAN: Undefined behaviour in drivers/usb/host/ehci-hub.c:877:47
[    2.418582] index -1 is out of range for type 'u32 [1]'
[    2.418587] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.6.0-next-20160517-00001-gede618fce89c-dirty #279
[    2.418590] Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A17 08/19/2015
[    2.418599]  0000000000000000 00000000ac1ab326 ffff88022ca232e8 ffffffffaa690aea
[    2.418605]  ffff88022ca23300 00000000ac1ab326 ffff88022ca23310 ffffffffffffffff
[    2.418613]  ffff88022ca23300 ffffffffaa7087ad ffffffffabd5aee0 ffff88022ca23358
[    2.418615] Call Trace:
[    2.418628]  [<ffffffffaa690aea>] dump_stack+0x7b/0xd1
[    2.418633]  [<ffffffffaa7087ad>] ubsan_epilogue+0xd/0x40
[    2.418639]  [<ffffffffaa708ec5>] __ubsan_handle_out_of_bounds+0x75/0xa0
[    2.418644]  [<ffffffffaa00312d>] ? syscall_slow_exit_work+0x1ed/0x310
[    2.418649]  [<ffffffffaa98b7b8>] ? usb_hcd_submit_urb+0x368/0xe00
[    2.418655]  [<ffffffffaa9b4dac>] ehci_hub_control+0xd9c/0xdc0
[    2.418662]  [<ffffffffaa98bd01>] usb_hcd_submit_urb+0x8b1/0xe00
[    2.418667]  [<ffffffffaa98da01>] usb_submit_urb+0x2e1/0x8f0
[    2.418672]  [<ffffffffaa132a72>] ? __init_waitqueue_head+0x52/0xa0
[    2.418677]  [<ffffffffaa98eced>] usb_start_wait_urb+0x7d/0x130
[    2.418682]  [<ffffffffaa98ee7c>] usb_control_msg+0xdc/0x120
[    2.418691]  [<ffffffffaa9861a9>] hub_probe+0x4e9/0x1110
[    2.418696]  [<ffffffffab077f27>] ? _raw_spin_unlock_irqrestore+0x87/0x90
[    2.418701]  [<ffffffffaa0f8bda>] ? preempt_count_sub+0x4a/0x90
[    2.418706]  [<ffffffffab077f14>] ? _raw_spin_unlock_irqrestore+0x74/0x90
[    2.418711]  [<ffffffffaa995369>] usb_probe_interface+0x139/0x3e0
[    2.418717]  [<ffffffffaa86b011>] driver_probe_device+0x131/0x3c0
[    2.418723]  [<ffffffffaa86b463>] __device_attach_driver+0xc3/0x180
[    2.418728]  [<ffffffffaa86b3a0>] ? __driver_attach+0x100/0x100
[    2.418732]  [<ffffffffaa867f1d>] bus_for_each_drv+0x8d/0x100
[    2.418737]  [<ffffffffaa86ad98>] __device_attach+0xe8/0x170
[    2.418742]  [<ffffffffaa86b583>] device_initial_probe+0x13/0x20
[    2.418746]  [<ffffffffaa869a67>] bus_probe_device+0xe7/0x150
[    2.418750]  [<ffffffffaa8669cb>] device_add+0x49b/0x690
[    2.418756]  [<ffffffffaa991f2b>] usb_set_configuration+0x5bb/0xc80
[    2.418762]  [<ffffffffaa9a4856>] generic_probe+0x36/0xa0
[    2.418766]  [<ffffffffaa9951eb>] usb_probe_device+0x3b/0x80
[    2.418770]  [<ffffffffaa86b011>] driver_probe_device+0x131/0x3c0
[    2.418775]  [<ffffffffaa86b463>] __device_attach_driver+0xc3/0x180
[    2.418779]  [<ffffffffaa86b3a0>] ? __driver_attach+0x100/0x100
[    2.418783]  [<ffffffffaa867f1d>] bus_for_each_drv+0x8d/0x100
[    2.418788]  [<ffffffffaa86ad98>] __device_attach+0xe8/0x170
[    2.418793]  [<ffffffffaa86b583>] device_initial_probe+0x13/0x20
[    2.418797]  [<ffffffffaa869a67>] bus_probe_device+0xe7/0x150
[    2.418801]  [<ffffffffaa8669cb>] device_add+0x49b/0x690
[    2.418807]  [<ffffffffaa9828c9>] usb_new_device+0x319/0x970
[    2.418812]  [<ffffffffaa98a01b>] usb_add_hcd+0x67b/0xa40
[    2.418817]  [<ffffffffaa9a86d3>] usb_hcd_pci_probe+0x4c3/0x770
[    2.418822]  [<ffffffffaa1464c6>] ? trace_hardirqs_on_caller+0x16/0x2c0
[    2.418827]  [<ffffffffaa0f8bda>] ? preempt_count_sub+0x4a/0x90
[    2.418832]  [<ffffffffaa9c1256>] ehci_pci_probe+0x36/0x40
[    2.418837]  [<ffffffffaa71e5fc>] pci_device_probe+0xdc/0x180
[    2.418842]  [<ffffffffaa86b011>] driver_probe_device+0x131/0x3c0
[    2.418846]  [<ffffffffaa86b359>] __driver_attach+0xb9/0x100
[    2.418851]  [<ffffffffaa86b2a0>] ? driver_probe_device+0x3c0/0x3c0
[    2.418855]  [<ffffffffaa867e0a>] bus_for_each_dev+0x8a/0xf0
[    2.418860]  [<ffffffffaa86a537>] driver_attach+0x27/0x50
[    2.418864]  [<ffffffffaa869e16>] bus_add_driver+0x116/0x2b0
[    2.418868]  [<ffffffffaa86bb6f>] driver_register+0x9f/0x160
[    2.418873]  [<ffffffffaa71d44f>] __pci_register_driver+0x8f/0xe0
[    2.418879]  [<ffffffffac37d5db>] ? ehci_hcd_init+0x90/0x90
[    2.418885]  [<ffffffffac37d640>] ehci_pci_init+0x65/0x67
[    2.418890]  [<ffffffffaa00043f>] do_one_initcall+0x5f/0x210
[    2.418896]  [<ffffffffac320848>] kernel_init_freeable+0x33d/0x3d4
[    2.418903]  [<ffffffffab069e6f>] kernel_init+0xf/0x120
[    2.418907]  [<ffffffffab07897f>] ret_from_fork+0x1f/0x40
[    2.418911]  [<ffffffffab069e60>] ? rest_init+0x170/0x170
[    2.418915] ================================================================================
[    2.418934] hub 1-0:1.0: 2 ports detected
[    2.419850] ehci-pci 0000:00:1d.0: EHCI Host Controller
[    2.419993] ehci-pci 0000:00:1d.0: new USB bus registered, assigned bus number 2
[    2.420031] ehci-pci 0000:00:1d.0: debug port 2
[    2.423961] ehci-pci 0000:00:1d.0: cache line size of 64 is not supported
[    2.423998] ehci-pci 0000:00:1d.0: irq 21, io mem 0xf7737000
[    2.430045] ehci-pci 0000:00:1d.0: USB 2.0 started, EHCI 1.00


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ