lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20191218164507.GB17876@pendragon.ideasonboard.com>
Date:   Wed, 18 Dec 2019 18:45:07 +0200
From:   Laurent Pinchart <laurent.pinchart@...asonboard.com>
To:     Will Deacon <will@...nel.org>
Cc:     linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
        andreyknvl@...gle.com, Mauro Carvalho Chehab <mchehab@...nel.org>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>, stable@...r.kernel.org
Subject: Re: [PATCH] media: uvc: Avoid cyclic entity chains due to malformed
 USB descriptors

Hi Will,

On Mon, Oct 07, 2019 at 05:27:10PM +0100, Will Deacon wrote:
> On Wed, Oct 02, 2019 at 09:56:04PM +0300, Laurent Pinchart wrote:
> > On Wed, Oct 02, 2019 at 02:19:29PM +0100, Will Deacon wrote:
> > > > uvc_scan_chain_forward() is then called (from uvc_scan_chain()), and
> > > > iterates over all entities connected to the entity being scanned.
> > > > 
> > > > 	while (1) {
> > > > 		forward = uvc_entity_by_reference(chain->dev, entity->id,
> > > > 			forward);
> > > 
> > > Yes.
> > > 
> > > > At this point forward may be equal to entity, if entity references
> > > > itself.
> > > 
> > > Correct -- that's indicative of a malformed entity which we want to reject,
> > > right?
> > 
> > Right. We can reject the whole chain in that case. There's one case
> > where we still want to succeed though, which is handled by
> > uvc_scan_fallback().
> > 
> > Looking at the code, uvc_scan_device() does
> > 
> >                 if (uvc_scan_chain(chain, term) < 0) {
> >                         kfree(chain);
> >                         continue;
> >                 }
> > 
> > It seems that's missing removal of all entities that would have been
> > successfully added to the chain. This prevents, I think,
> > uvc_scan_fallback() from working properly in some cases.
> 
> I started trying to hack something up here, but I'm actually not sure
> there's anything to do!
> 
> I agree that 'uvc_scan_chain()' can fail after adding entities to the
> chain, however, 'uvc_scan_fallback()' allocates a new chain and calls
> only 'uvc_scan_chain_entity()' to add entities to it. This doesn't fail
> on pre-existing 'list_head' structures, so the dangling pointers shouldn't
> pose a problem there. My patch only adds the checks to
> 'uvc_scan_chain_forward()' and 'uvc_scan_chain_backward()', neither of
> which are invoked on the fallback path.
> 
> The fallback also seems like a best-effort thing, since it isn't even
> invoked if we managed to initialise *any* chains successfully.
> 
> Does that make sense, or did you have another failure case in mind?

No, I think you're right. It may still be good to remove the entities
from the chain before freeing it to avoid dangling pointers, but that's
not handled properly anywhere in the driver anyway, so your patch
doesn't introduce any issue.

> > > > 		if (forward == NULL)
> > > > 			break;
> > > > 		if (forward == prev)
> > > > 			continue;
> > > > 		if (forward->chain.next || forward->chain.prev) {
> > > > 			uvc_trace(UVC_TRACE_DESCR, "Found reference to "
> > > > 				"entity %d already in chain.\n", forward->id);
> > > > 			return -EINVAL;
> > > > 		}
> > > > 
> > > > But then this check should trigger, as forward == entity and entity is
> > > > in the chain's list of entities.
> > > 
> > > Right, but this code is added by my patch, no? In mainline, the code only
> > > has the first two checks, which both end up comparing against NULL the first
> > > time around:
> > > 
> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/media/usb/uvc/uvc_driver.c#n1489
> > > 
> > > Or are you referring to somewhere else?
> > 
> > Oops. This is embarassing... :-) You're of course right. The second hunk
> > seems fine too, even if I would have preferred centralising the check in
> > a single place. That should be possible, but it would involve
> > refactoring that isn't worth it at the moment.
> 
> Agreed, thanks.

-- 
Regards,

Laurent Pinchart

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ