lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44L0.2001081314471.1468-100000@iolanthe.rowland.org>
Date:   Wed, 8 Jan 2020 13:18:54 -0500 (EST)
From:   Alan Stern <stern@...land.harvard.edu>
To:     syzbot <syzbot+10e5f68920f13587ab12@...kaller.appspotmail.com>
cc:     andreyknvl@...gle.com, <gregkh@...uxfoundation.org>,
        <gustavo@...eddedor.com>, <ingrassia@...genesys.com>,
        <linux-kernel@...r.kernel.org>, <linux-usb@...r.kernel.org>,
        <syzkaller-bugs@...glegroups.com>
Subject: Re: WARNING in usbhid_raw_request/usb_submit_urb (2)

On Tue, 7 Jan 2020, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> WARNING in usbhid_raw_request/usb_submit_urb

Given this result, let's try again the slightly larger patch.  The
difference between the patch just tested and this one is very small
indeed, although it's hard to predict how that difference will affect
the object code.

Alan Stern

#syz test: https://github.com/google/kasan.git ecdf2214

Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -205,7 +205,7 @@ int usb_urb_ep_type_check(const struct u
 
 	ep = usb_pipe_endpoint(urb->dev, urb->pipe);
 	if (!ep)
-		return -EINVAL;
+		return -EBADF;
 	if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
 		return -EINVAL;
 	return 0;
@@ -356,6 +356,7 @@ int usb_submit_urb(struct urb *urb, gfp_
 	struct usb_host_endpoint	*ep;
 	int				is_out;
 	unsigned int			allowed;
+	int				c;
 
 	if (!urb || !urb->complete)
 		return -EINVAL;
@@ -474,9 +475,10 @@ int usb_submit_urb(struct urb *urb, gfp_
 	 */
 
 	/* Check that the pipe's type matches the endpoint's type */
-	if (usb_urb_ep_type_check(urb))
-		dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
-			usb_pipetype(urb->pipe), pipetypes[xfertype]);
+	c = usb_urb_ep_type_check(urb);
+	if (c)
+		dev_WARN(&dev->dev, "BOGUS urb xfer %d, pipe %x != type %x\n",
+			c, usb_pipetype(urb->pipe), pipetypes[xfertype]);
 
 	/* Check against a simple/standard policy */
 	allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | URB_DIR_MASK |

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ