lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEc3jaA2Vk+C1iSHL89fTAz9fZBS7rVEdj8WOTW966Pt+MBcyA@mail.gmail.com>
Date:   Fri, 4 Jan 2019 13:35:01 -0800
From:   Roderick Colenbrander <thunderbird2k@...il.com>
To:     Anatoly Trosinenko <anatoly.trosinenko@...il.com>
Cc:     Benjamin Tissoires <benjamin.tissoires@...hat.com>,
        Jiri Kosina <jikos@...nel.org>,
        lkml <linux-kernel@...r.kernel.org>,
        "open list:HID CORE LAYER" <linux-input@...r.kernel.org>
Subject: Re: NULL pointer dereference when writing fuzzed data to /dev/uhid

Thanks, it seems the tests created a Buzz controller. It is
sony_led_init (called from sony_input_configured), which calls
hid_validate_values. It is hid_validate_values, which is unhappy due
to obviously corrupted reports.

I'm not too familiar with hid_validate_values, but it seems to access
a bunch of data structures on the HID device. The code probably makes
some assumptions. Fixing this issue requires some more sanity
checking, if it is worth it.

Thanks,
Roderick

On Fri, Jan 4, 2019 at 9:04 AM Anatoly Trosinenko
<anatoly.trosinenko@...il.com> wrote:
>
> > Would you be able to share the sony.bin file?
> Sent it in this message.
>
> > Did you inject a particular device?
> If you are asking me, then no, I blindly send fuzzed data with a
> simple (but quite large and not very meaningful) header. That time it
> just turned out to be Sony-like descriptor :)
>
> Best regards
> Anatoly
>
> пт, 4 янв. 2019 г. в 19:38, Roderick Colenbrander <thunderbird2k@...il.com>:
> >
> > > > For sony.bin:
> > > >
> > > > root@...-xfstests:~# cat /vtmp/sony.bin > /dev/uhid
> > > > [   16.891931] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.892432] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.892894] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.893362] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.893844] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.895389] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.898165] sony 0003:054C:1000.0001: ignoring exceeding usage max
> > > > [   16.901190] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.903797] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.906401] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.908957] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.911449] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.913936] sony 0003:054C:1000.0001: unknown main item tag 0x1
> > > > [   16.916551] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.918454] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.919743] sony 0003:054C:1000.0001: unknown main item tag 0x4
> > > > [   16.920834] sony 0003:054C:1000.0001: unknown main item tag 0xe
> > > > [   16.921904] sony 0003:054C:1000.0001: unknown main item tag 0xe
> > > > [   16.923006] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.924082] sony 0003:054C:1000.0001: unknown main item tag 0x2
> > > > [   16.925195] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.926289] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.927400] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [   16.928546] BUG: unable to handle kernel NULL pointer dereference
> > > > at 0000000000000028
> > > > [   16.929951] #PF error: [normal kernel read fault]
> > > > [   16.930884] PGD 800000007a52b067 P4D 800000007a52b067 PUD 0
> > > > [   16.931836] Oops: 0000 [#1] SMP PTI
> > > > [   16.932437] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted
> > > > 4.20.0-xfstests-10979-g96d4f267e40 #1
> > > > [   16.933752] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> > > > BIOS 1.11.1-1ubuntu1 04/01/2014
> > > > [   16.935372] Workqueue: events uhid_device_add_worker
> > > > [   16.936321] RIP: 0010:hid_validate_values+0x48/0x110
> > >
> > > In a sense, it's good to have a fault there because this was added to
> > > make sure we do not blindly accept any data. The fact that it doesn't
> > > fail gracefully is a sign that there is something else.
> > > Maybe Roderick could have a look?
> > >
> > > Cheers,
> > > Benjamin
> > >
> >
> > Sure I can have a look. Would you be able to share the sony.bin file?
> > Did you inject a particular device? We do a lot of remapping and
> > processing in hid-sony at startup. It is probably related to that.
> >
> > Thanks,
> > Roderick

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ