lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170922075815.GC7482@kroah.com>
Date:   Fri, 22 Sep 2017 09:58:15 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     Andrey Konovalov <andreyknvl@...gle.com>,
        Oliver Neukum <oneukum@...e.com>,
        USB list <linux-usb@...r.kernel.org>,
        linux-scsi@...r.kernel.org, usb-storage@...ts.one-eyed-alien.net,
        LKML <linux-kernel@...r.kernel.org>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: usb/storage/uas: slab-out-of-bounds in uas_probe

On Thu, Sep 21, 2017 at 03:04:05PM -0400, Alan Stern wrote:
> On Thu, 21 Sep 2017, Andrey Konovalov wrote:
> 
> > On Thu, Sep 21, 2017 at 6:10 PM, Greg Kroah-Hartman
> > <gregkh@...uxfoundation.org> wrote:
> > > On Thu, Sep 21, 2017 at 05:39:05PM +0200, Andrey Konovalov wrote:
> > >> Hi!
> > >>
> > >> I've got the following report while fuzzing the kernel with syzkaller.
> > >>
> > >> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
> > >>
> > >> The issue occurs when we iterate over interface altsettings, but I
> > >> don't see the driver doing anything wrong. I might be missing
> > >> something, or this might be an issue in USB core altsettings parsing.
> > >
> > >
> > > Any chance you happen to have the descriptors that you were feeding into
> > > the kernel at this crash?  That might help in figuring out what "went
> > > wrong".
> > 
> > Here's the data that I feed into dummy_udc:
> > 
> > 00 00 00 00 09 02 12 00 01 34 05 80 07 09 04 6e
> > 09 00 08 06 62 00 12 01 05 00 cb f7 71 83 04 00
> > 05 00 ab f6 07 81 08 01
> > 
> > Also attaching a C reproducer (requires dummy_hcd and gadgetfs) and my .config.
> 
> Why do your reproducers use an mmap'ed array for their data instead of 
> a plain old statically allocated array?
> 
> Anyway, this turns out to be a genuine (and subtle!) bug in the uas
> driver.  The uas_find_uas_alt_setting() routine in uas-detect.h returns
> a bAlternateSetting value, but then the uas_use_uas_driver() routine
> uses this value as an index to the altsetting array -- which it isn't.  
> 
> Normally this doesn't cause any problems because the the entries in the
> array have bAlternateSetting values 0, 1, etc., so the value is equal
> to the index.  But in your fuzzed case, that wasn't true.
> 
> The patch below fixes this bug, by returning a pointer to the 
> alt-setting entry instead of either the value or the index.  Pointers 
> are less subject to misinterpretation.

Ugh, messy, nice catch and fix, I'll go queue it up now, thanks for
resolving this.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ