lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161122153852.GA32591@djo.tudelft.nl>
Date:   Tue, 22 Nov 2016 16:38:52 +0100
From:   Wim Osterholt <wim@....tudelft.nl>
To:     Oliver Neukum <oneukum@...e.com>
Cc:     poma <pomidorabelisima@...il.com>, linux-kernel@...r.kernel.org,
        linux-usb@...r.kernel.org, Wim Osterholt <wim@....tudelft.nl>
Subject: Re: crash by cdc_acm driver in kernels 4.8-rc1/5

On Mon, Nov 21, 2016 at 02:19:32PM +0100, Oliver Neukum wrote:

> I don't understand it, bit please test the attached patch
> with dynamic debugging for cdc-acm and the kernel log level
> at maximum.

> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> index 6895f9e..f03b5db 100644
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -1188,6 +1188,12 @@ static int acm_probe(struct usb_interface *intf,
>  
>  	cdc_parse_cdc_header(&h, intf, buffer, buflen);
>  	union_header = h.usb_cdc_union_desc;
> +
> +	dev_dbg(&intf->dev, "Parsed device header\n");
> +	dev_dbg(&intf->dev, "Union descriptor %p\n", h.usb_cdc_union_desc);
> +	dev_dbg(&intf->dev, "ACM descriptor %p\n", h.usb_cdc_acm_descriptor);
> +	dev_dbg(&intf->dev, "Country descriptor %p\n", h.usb_cdc_country_functional_desc);
> +
>  	cmgmd = h.usb_cdc_call_mgmt_descriptor;
>  	if (cmgmd)
>  		call_intf_num = cmgmd->bDataInterface;


On kernel 4.8.8  this crashes hard and produces over a serial link:

[  156.842106] sysrq: SysRq : Changing Loglevel
[  156.842110] sysrq: Loglevel set to 9
[  156.947852] usbcore: registered new interface driver cdc_acm
[  156.947854] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[  161.176701] usb 4-1: new full-speed USB device number 2 using uhci_hcd
[  161.383608] usb 4-1: New USB device found, idVendor=0572, idProduct=1340
[  161.384707] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  161.388722] usb 4-1: Product: USB Modem
[  161.392711] usb 4-1: Manufacturer: Conexant
[  161.392714] usb 4-1: SerialNumber: 12345678
[  161.397703] cdc_acm:acm_probe: cdc_acm 4-1:1.0: interfaces are valid
[  161.397731] BUG: unable to handle kernel NULL pointer dereference at 00000249
[  161.397740] IP: [<e086ad09>] acm_probe+0x580/0xd1e [cdc_acm]
[  161.397742] *pde = 00000000 
[  161.397745] Oops: 0000 [#1] SMP
[  161.397786] Modules linked in: cdc_acm radeon drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit fbcon bitblit softcursor font tileblit binfmt_misc snd_pcm_oss snd_mixer_oss usb_storage usbhid ipw2200 libipw lib80211 snd_intel8x0 cfg80211 snd_ac97_codec ac97_bus uhci_hcd snd_pcm ehci_pci snd_timer snd ehci_hcd rfkill usbcore soundcore via_rhine firmware_class ppdev pcspkr parport_pc mii lpc_ich parport fan usb_common acpi_cpufreq thermal mfd_core floppy button processor
[  161.397790] CPU: 0 PID: 4 Comm: kworker/0:0 Not tainted 4.8.8 #2
[  161.397792] Hardware name: MEDIONPC MS-7048/MS-7048, BIOS 6.00 PG 02/12/2004
[  161.397805] Workqueue: usb_hub_wq hub_event [usbcore]
[  161.397807] task: df4c9500 task.stack: df4da000
[  161.397810] EIP: 0060:[<e086ad09>] EFLAGS: 00010202 CPU: 0
[  161.397813] EIP is at acm_probe+0x580/0xd1e [cdc_acm]
[  161.397815] EAX: 00000246 EBX: dc27b000 ECX: e086c934 EDX: 00000000
[  161.397817] ESI: 00000100 EDI: 00000000 EBP: df4dbc18 ESP: df4dbb80
[  161.397819]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  161.397821] CR0: 80050033 CR2: 00000249 CR3: 1c45f000 CR4: 00000690
[  161.397822] Stack:
[  161.397828]  00003640 00003662 0000000e df491d50 00000000 00000000 00000010 00000040
[  161.397835]  00000080 00000246 dd1fc540 decf5a00 dc468c70 00000001 df583a00 df583a38
[  161.397841]  dc468c00 decf5800 decf5a00 00000000 dc452ab0 00000004 00000246 df4dbc00
[  161.397842] Call Trace:
[  161.397853]  [<c04bce4d>] ? __mutex_unlock_slowpath+0xf4/0xfc
[  161.397862]  [<e1e2e50d>] ? usb_probe_interface+0x17b/0x1f6 [usbcore]
[  161.397870]  [<e1e2e50d>] ? usb_probe_interface+0x17b/0x1f6 [usbcore]
[  161.397877]  [<c0366fe8>] ? driver_probe_device+0x17b/0x30e
[  161.397880]  [<c0366fe8>] ? driver_probe_device+0x17b/0x30e
[  161.397883]  [<c03656e2>] ? bus_for_each_drv+0x59/0x68
[  161.397886]  [<c03656e2>] ? bus_for_each_drv+0x59/0x68
[  161.397890]  [<c0366d96>] ? __device_attach+0x91/0x105
[  161.397893]  [<c036727c>] ? driver_allows_async_probing+0x2f/0x2f
[  161.397896]  [<c036636a>] ? bus_probe_device+0x27/0x6b
[  161.397899]  [<c036636a>] ? bus_probe_device+0x27/0x6b
[  161.397902]  [<c0364af0>] ? device_add+0x289/0x4be
[  161.397911]  [<e1e2ce72>] ? usb_set_configuration+0x5a6/0x5e9 [usbcore]
[  161.397919]  [<e1e2ce72>] ? usb_set_configuration+0x5a6/0x5e9 [usbcore]
[  161.397928]  [<e1e34664>] ? generic_probe+0x3b/0x67 [usbcore]
[  161.397937]  [<e1e34664>] ? generic_probe+0x3b/0x67 [usbcore]
[  161.397945]  [<e1e2e379>] ? usb_probe_device+0x49/0x62 [usbcore]
[  161.397953]  [<e1e2e330>] ? usb_suspend+0xcd/0xcd [usbcore]
[  161.397957]  [<c0366fe8>] ? driver_probe_device+0x17b/0x30e
[  161.397960]  [<c0366fe8>] ? driver_probe_device+0x17b/0x30e
[  161.397963]  [<c03656e2>] ? bus_for_each_drv+0x59/0x68
[  161.397966]  [<c03656e2>] ? bus_for_each_drv+0x59/0x68
[  161.397969]  [<c0366d96>] ? __device_attach+0x91/0x105
[  161.397972]  [<c036727c>] ? driver_allows_async_probing+0x2f/0x2f
[  161.397976]  [<c036636a>] ? bus_probe_device+0x27/0x6b
[  161.397979]  [<c036636a>] ? bus_probe_device+0x27/0x6b
[  161.397982]  [<c0364af0>] ? device_add+0x289/0x4be
[  161.397985]  [<c035f7e9>] ? add_device_randomness+0x84/0x9c
[  161.397993]  [<e1e2521a>] ? usb_new_device+0x29d/0x3b5 [usbcore]
[  161.398001]  [<e1e2521a>] ? usb_new_device+0x29d/0x3b5 [usbcore]
[  161.398010]  [<e1e26949>] ? hub_event+0xb32/0xed8 [usbcore]
[  161.398017]  [<e1e26949>] ? hub_event+0xb32/0xed8 [usbcore]
[  161.398026]  [<e1e25d06>] ? usb_remote_wakeup+0x6f/0x7d [usbcore]
[  161.398031]  [<c01484b7>] ? process_one_work+0x174/0x2bc
[  161.398034]  [<c01484b7>] ? process_one_work+0x174/0x2bc
[  161.398037]  [<c0148a93>] ? worker_thread+0x22c/0x2f6
[  161.398040]  [<c0148867>] ? rescuer_thread+0x23f/0x23f
[  161.398043]  [<c014be62>] ? kthread+0xa4/0xa9
[  161.398046]  [<c04be662>] ? ret_from_kernel_thread+0xe/0x24
[  161.398049]  [<c014bdbe>] ? kthread_create_on_node+0x101/0x101
[  161.398085] Code: 14 89 83 b4 04 00 00 8b 45 94 89 43 04 8b 45 ac 89 43 08 8b 85 7c ff ff ff 89 83 c0 04 00 00 8b 45 a8 89 03 8b 45 c0 85 c0 74 0a <0f> b6 40 03 89 83 c8 04 00 00 f6 45 9c 04 74 07 83 a3 c8 04 00
[  161.398091] EIP: [<e086ad09>] acm_probe+0x580/0xd1e [cdc_acm] SS:ESP 0068:df4dbb80
[  161.398092] CR2: 0000000000000249
[  161.398096] ---[ end trace da016e6d3520a331 ]---
[  161.398152] BUG: unable to handle kernel paging request at ffffffec
[  161.398156] IP: [<c014c304>] kthread_data+0xf/0x13
[  161.398159] *pde = 00735067 *pte = 00000000 
[  161.398161] Oops: 0000 [#2] SMP
[  161.398197] Modules linked in: cdc_acm radeon drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit fbcon bitblit softcursor font tileblit binfmt_misc snd_pcm_oss snd_mixer_oss usb_storage usbhid ipw2200 libipw lib80211 snd_intel8x0 cfg80211 snd_ac97_codec ac97_bus uhci_hcd snd_pcm ehci_pci snd_timer snd ehci_hcd rfkill usbcore soundcore via_rhine firmware_class ppdev pcspkr parport_pc mii lpc_ich parport fan usb_common acpi_cpufreq thermal mfd_core floppy button processor
[  161.398200] CPU: 0 PID: 4 Comm: kworker/0:0 Tainted: G      D         4.8.8 #2
[  161.398202] Hardware name: MEDIONPC MS-7048/MS-7048, BIOS 6.00 PG 02/12/2004
[  161.398217] task: df4c9500 task.stack: df4da000
[  161.398219] EIP: 0060:[<c014c304>] EFLAGS: 00010002 CPU: 0
[  161.398221] EIP is at kthread_data+0xf/0x13
[  161.398223] EAX: 00000000 EBX: df4dc000 ECX: dec92374 EDX: df4c9500
[  161.398225] ESI: df4c97b4 EDI: dfbd0960 EBP: df4dbf48 ESP: df4dbf44
[  161.398227]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  161.398229] CR0: 80050033 CR2: 00000014 CR3: 1c45f000 CR4: 00000690
[  161.398231] Stack:
[  161.398237]  c0148bbb df4dbf6c c04bb2a4 df401d80 c01e2b00 df4c9500 00000001 df4dc000
[  161.398244]  df4dbd50 df4dbf98 df4dbf78 c04bb669 df4c9500 df4dbfac c0139827 df4c9888
[  161.398250]  01000000 df4c972c df4c8000 00000001 00000000 df4dbf98 df4dbf98 00000009
[  161.398251] Call Trace:
[  161.398254]  [<c0148bbb>] ? wq_worker_sleeping+0xd/0x75
[  161.398259]  [<c04bb2a4>] ? __schedule+0xcc/0x424
[  161.398263]  [<c01e2b00>] ? __slab_free+0x266/0x270
[  161.398266]  [<c04bb669>] ? schedule+0x6d/0x7a
[  161.398270]  [<c0139827>] ? do_exit+0x74d/0x775
[  161.398274]  [<c04bf679>] ? rewind_stack_do_exit+0x11/0x13
[  161.398277]  [<c014bdbe>] ? kthread_create_on_node+0x101/0x101
[  161.398312] Code: 8d 44 90 4c c0 8d 0c 95 00 00 00 00 29 cb b9 02 00 00 00 89 da 5b 5d e9 f5 fd ff ff 55 89 e5 3e 8d 74 26 00 8b 80 84 02 00 00 5d <8b> 40 ec c3 55 89 e5 52 3e 8d 74 26 00 b9 04 00 00 00 8b 90 84
[  161.398316] EIP: [<c014c304>] kthread_data+0xf/0x13 SS:ESP 0068:df4dbf44
[  161.398318] CR2: 00000000ffffffec
[  161.398320] ---[ end trace da016e6d3520a332 ]---
[  161.398321] Fixing recursive fault but reboot is needed!


Regards, Wim.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ