lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44L0.1909041120330.1722-100000@iolanthe.rowland.org>
Date:   Wed, 4 Sep 2019 11:23:24 -0400 (EDT)
From:   Alan Stern <stern@...land.harvard.edu>
To:     Andrey Konovalov <andreyknvl@...gle.com>
cc:     syzbot <syzbot+35f4d916c623118d576e@...kaller.appspotmail.com>,
        <Thinh.Nguyen@...opsys.com>, <dianders@...omium.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        <jflat@...omium.org>, Kai Heng Feng <kai.heng.feng@...onical.com>,
        LKML <linux-kernel@...r.kernel.org>,
        USB list <linux-usb@...r.kernel.org>, <malat@...ian.org>,
        <mathias.nyman@...ux.intel.com>, <nsaenzjulienne@...e.de>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device

On Wed, 4 Sep 2019, Andrey Konovalov wrote:

> On Wed, Sep 4, 2019 at 4:41 PM Alan Stern <stern@...land.harvard.edu> wrote:
> >
> > On Tue, 3 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer still triggered
> > > crash:
> > > KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device
> > >
> > > usb 6-1: Using ep0 maxpacket: 16
> > > usb 6-1: BOS total length 54, descriptor 168
> > > usb 6-1: Old BOS ffff8881cd814f60  Len 0xa8
> > > usb 6-1: New BOS ffff8881cd257ae0  Len 0xa8
> > > ==================================================================
> > > BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
> > > Read of size 1 at addr ffff8881cd257c36 by task kworker/1:0/17
> >
> > Very sneaky!  A BOS descriptor whose wTotalLength field varies
> > depending on how many bytes you read.
> >
> > This should fix it.  It's the same approach we use for the Config
> > descriptor.
> 
> Nice, core USB bug :)
> 
> Can this potentially lead to something worse than a out-of-bounds memcmp?

I tend to doubt it.  It would require some code that does its own
parsing of the BOS descriptors.  If there is any code like that in the
kernel, I'm not aware of it.

Still, you never know...

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ