lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 22 Apr 2020 12:51:14 +0200
From:   Takashi Iwai <tiwai@...e.de>
To:     Oliver Neukum <oneukum@...e.com>
Cc:     syzbot <syzbot+cabfa4b5b05ff6be4ef0@...kaller.appspotmail.com>,
        <andreyknvl@...gle.com>, <hverkuil-cisco@...all.nl>,
        <linux-kernel@...r.kernel.org>, <linux-media@...r.kernel.org>,
        <linux-usb@...r.kernel.org>, <mchehab@...nel.org>,
        <syzkaller-bugs@...glegroups.com>, <tiwai@...e.com>
Subject: Re: general protection fault in go7007_usb_probe

On Wed, 22 Apr 2020 12:32:20 +0200,
Oliver Neukum wrote:
> 
> Am Dienstag, den 21.04.2020, 16:45 -0700 schrieb syzbot:
> > syzbot has found a reproducer for the following crash on:
> > 
> > HEAD commit:    e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12da0b58100000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> > dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1146eb17e00000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=159d136fe00000
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+cabfa4b5b05ff6be4ef0@...kaller.appspotmail.com
> 
> Hi,
> 
> this looks to be technically caused by
> 
> commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e
> Author: Takashi Iwai <tiwai@...e.de>
> Date:   Thu Feb 6 16:45:27 2020 +0100
> 
>     media: go7007: Fix URB type for interrupt handling
> 
> It introduces this check:
> 
> +       ep = usb->usbdev->ep_in[4];
> +       if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
> 
> However, there is no guarantee ep_in[4] exists, if a malicious device
> were involved. But, I do not want to just add a check for NULL. That
> would just paper over the bug and the driver would fail at a later
> stage.

Yes, the patch assumed the existence of ep 4, as you can see in the
later code, the driver blindly uses the fixed endpoint for the urb.
So we'll hit a problem in anyway.

> How many endpoints do these devices need to have to operate?

Not sure about that, but the NULL-check of ep there should be right.
If ep_in[4] is NULL, the probe should fail before going to the next
USB_ENDPOINT_XFER_BULK check.


thanks,

Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ