| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <96c523ea-799f-ad2f-f1c4-46ff6f9f6d6c@sony.com>
Date: Fri, 7 Feb 2020 08:11:25 +0000
From: "Enderborg, Peter" <Peter.Enderborg@...y.com>
To: Alan Stern <stern@...land.harvard.edu>
CC: Jiri Kosina <jikos@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in
hid_field_extract (Broken!)
On 2/6/20 4:14 PM, Alan Stern wrote:
> On Thu, 6 Feb 2020, Enderborg, Peter wrote:
>
>>> Also, please post the output from "lsusb -v" for the StreamDeck.
>> Bus 002 Device 008: ID 0fd9:0060 Elgato Systems GmbH Stream Deck
>> Device Descriptor:
>> bLength 18
>> bDescriptorType 1
>> bcdUSB 2.00
>> bDeviceClass 0
>> bDeviceSubClass 0
>> bDeviceProtocol 0
>> bMaxPacketSize0 64
>> idVendor 0x0fd9 Elgato Systems GmbH
>> idProduct 0x0060
>> bcdDevice 1.00
>> iManufacturer 1
>> iProduct 2
>> iSerial 3
>> bNumConfigurations 1
>> Configuration Descriptor:
>> bLength 9
>> bDescriptorType 2
>> wTotalLength 0x0029
>> bNumInterfaces 1
>> bConfigurationValue 1
>> iConfiguration 0
>> bmAttributes 0xe0
>> Self Powered
>> Remote Wakeup
>> MaxPower 400mA
>> Interface Descriptor:
>> bLength 9
>> bDescriptorType 4
>> bInterfaceNumber 0
>> bAlternateSetting 0
>> bNumEndpoints 2
>> bInterfaceClass 3 Human Interface Device
>> bInterfaceSubClass 0
>> bInterfaceProtocol 0
>> iInterface 0
>> HID Device Descriptor:
>> bLength 9
>> bDescriptorType 33
>> bcdHID 1.11
>> bCountryCode 0 Not supported
>> bNumDescriptors 1
>> bDescriptorType 34 Report
>> wDescriptorLength 248
>> Report Descriptors:
>> ** UNAVAILABLE **
> I was hoping to see the report descriptors. This would produce the
> actual descriptors as sent by the device, not the kernel's
> interpretation or modification of the descriptors.
>
> I guess you have to unbind the device from the usbhid driver first in
> order for lsusb to get them. Can you do that?
>
> Alan Stern
>
Im not sure exatly what you need to unbind. But I assume this is what you want:
lsusb -v -d 0fd9:0060
Bus 002 Device 002: ID 0fd9:0060 Elgato Systems GmbH Stream Deck
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0fd9 Elgato Systems GmbH
idProduct 0x0060
bcdDevice 1.00
iManufacturer 1 Elgato Systems
iProduct 2 Stream Deck
iSerial 3 AL01H1A08945
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0029
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xe0
Self Powered
Remote Wakeup
MaxPower 400mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 3 Human Interface Device
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 0
HID Device Descriptor:
bLength 9
bDescriptorType 33
bcdHID 1.11
bCountryCode 0 Not supported
bNumDescriptors 1
bDescriptorType 34 Report
wDescriptorLength 248
Report Descriptor: (length is 248)
Item(Global): Usage Page, data= [ 0x0c ] 12
Consumer
Item(Local ): Usage, data= [ 0x01 ] 1
Consumer Control
Item(Main ): Collection, data= [ 0x01 ] 1
Application
Item(Local ): Usage, data= [ 0x01 ] 1
Consumer Control
Item(Global): Usage Page, data= [ 0x09 ] 9
Buttons
Item(Local ): Usage Minimum, data= [ 0x01 ] 1
Button 1 (Primary)
Item(Local ): Usage Maximum, data= [ 0x10 ] 16
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x10 ] 16
Item(Global): Report ID, data= [ 0x01 ] 1
Item(Main ): Input, data= [ 0x02 ] 2
Data Variable Absolute No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x10 ] 16
Item(Global): Report ID, data= [ 0xa0 ] 160
Item(Main ): Input, data= [ 0x02 ] 2
Data Variable Absolute No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x10 ] 16
Item(Global): Report ID, data= [ 0xa1 ] 161
Item(Main ): Input, data= [ 0x02 ] 2
Data Variable Absolute No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0xfe 0x1f ] 8190
Item(Global): Report ID, data= [ 0x02 ] 2
Item(Main ): Output, data= [ 0x02 ] 2
Data Variable Absolute No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): Collection, data= [ 0x00 ] 0
Physical
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x10 ] 16
Item(Global): Report ID, data= [ 0x03 ] 3
Item(Main ): Feature, data= [ 0x02 ] 2
Data Variable Absolute No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): End Collection, data=none
Item(Main ): Collection, data= [ 0x00 ] 0
Physical
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x10 ] 16
Item(Global): Report ID, data= [ 0x04 ] 4
Item(Main ): Feature, data= [ 0x02 ] 2
Data Variable Absolute No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): End Collection, data=none
Item(Main ): Collection, data= [ 0x00 ] 0
Physical
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x10 ] 16
Item(Global): Report ID, data= [ 0x05 ] 5
Item(Main ): Feature, data= [ 0x02 ] 2
Data Variable Absolute No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): End Collection, data=none
Item(Main ): Collection, data= [ 0x00 ] 0
Physical
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x01 ] 1
Item(Global): Report ID, data= [ 0x06 ] 6
Item(Main ): Feature, data= [ 0x02 ] 2
Data Variable Absolute No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): End Collection, data=none
Item(Main ): Collection, data= [ 0x00 ] 0
Physical
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x10 ] 16
Item(Global): Report ID, data= [ 0x07 ] 7
Item(Main ): Feature, data= [ 0x04 ] 4
Data Array Relative No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): End Collection, data=none
Item(Main ): Collection, data= [ 0x00 ] 0
Physical
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x01 ] 1
Item(Global): Report ID, data= [ 0x08 ] 8
Item(Main ): Feature, data= [ 0x04 ] 4
Data Array Relative No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): End Collection, data=none
Item(Main ): Collection, data= [ 0x00 ] 0
Physical
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x10 ] 16
Item(Global): Report ID, data= [ 0x09 ] 9
Item(Main ): Feature, data= [ 0x04 ] 4
Data Array Relative No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): End Collection, data=none
Item(Main ): Collection, data= [ 0x00 ] 0
Physical
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x10 ] 16
Item(Global): Report ID, data= [ 0x0a ] 10
Item(Main ): Feature, data= [ 0x04 ] 4
Data Array Relative No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): End Collection, data=none
Item(Main ): Collection, data= [ 0x00 ] 0
Physical
Item(Local ): Usage, data= [ 0x00 0xff ] 65280
(null)
Item(Global): Logical Minimum, data= [ 0x00 ] 0
Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
Item(Global): Report Size, data= [ 0x08 ] 8
Item(Global): Report Count, data= [ 0x10 ] 16
Item(Global): Report ID, data= [ 0x0b ] 11
Item(Main ): Feature, data= [ 0x04 ] 4
Data Array Relative No_Wrap Linear
Preferred_State No_Null_Position Non_Volatile Bitfield
Item(Main ): End Collection, data=none
Item(Main ): End Collection, data=none
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 1
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
bNumConfigurations 1
can't get debug descriptor: Resource temporarily unavailable
Device Status: 0x0003
Self Powered
Remote Wakeup Enabled
Powered by blists - more mailing lists