lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1587551540.26476.12.camel@suse.com>
Date:   Wed, 22 Apr 2020 12:32:20 +0200
From:   Oliver Neukum <oneukum@...e.com>
To:     syzbot <syzbot+cabfa4b5b05ff6be4ef0@...kaller.appspotmail.com>,
        andreyknvl@...gle.com, hverkuil-cisco@...all.nl,
        linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
        linux-usb@...r.kernel.org, mchehab@...nel.org,
        syzkaller-bugs@...glegroups.com
Cc:     tiwai@...e.com
Subject: Re: general protection fault in go7007_usb_probe

Am Dienstag, den 21.04.2020, 16:45 -0700 schrieb syzbot:
> syzbot has found a reproducer for the following crash on:
> 
> HEAD commit:    e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=12da0b58100000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1146eb17e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=159d136fe00000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cabfa4b5b05ff6be4ef0@...kaller.appspotmail.com

Hi,

this looks to be technically caused by

commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e
Author: Takashi Iwai <tiwai@...e.de>
Date:   Thu Feb 6 16:45:27 2020 +0100

    media: go7007: Fix URB type for interrupt handling

It introduces this check:

+       ep = usb->usbdev->ep_in[4];
+       if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)

However, there is no guarantee ep_in[4] exists, if a malicious device
were involved. But, I do not want to just add a check for NULL. That
would just paper over the bug and the driver would fail at a later
stage.

How many endpoints do these devices need to have to operate?

	Regards
		Oliver

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ