lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAO5W59hXOHAd_D0K3HnvJmf883e_u+s6oM+DGJMqpr392N5Gww@mail.gmail.com>
Date:   Fri, 13 Nov 2020 13:18:05 +0000
From:   John Boero <boeroboy@...il.com>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Felipe Balbi <balbi@...nel.org>, linux-usb@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: core: Null deref in kernel with USB webcams.

Thanks for the tips.

I've spent some more time on this this morning.
It looks like it's not the dev after all.
Every interface in the dev is set NULL after init.

Just like in the original Ubuntu bug 1827452 filed by someone else
the device seems to disconnect itself after uvcvideo initialization.
Then there is a 5 second pause before usb_ifnum_to_if tries
to iterate through its 8 interfaces - all of which are null.
It looks like uvc properly locks the dev, so maybe this could
be caused by any device being unplugged after init?

The WARNING handle preserves USB function though,
and subsequent lsusb behaves fine:

$ lsusb | fold -w 80
Bus 002 Device 002: ID 8087:8002 Intel Corp. 8 channel internal hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:800a Intel Corp. Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 002: ID 0451:8140 Texas Instruments, Inc. TUSB8041 4-Port Hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 005: ID 1ea7:0064 SHARKOON Technologies GmbH 2.4GHz Wireless rech
argeable vertical mouse [More&Better]
Bus 003 Device 004: ID 145f:025c Trust Trust USB Microphone
Bus 003 Device 002: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID
Bus 003 Device 009: ID 0a5c:21e8 Broadcom Corp. BCM20702A0 Bluetooth 4.0
Bus 003 Device 008: ID 0451:8142 Texas Instruments, Inc. TUSB8041 4-Port Hub
Bus 003 Device 006: ID 062a:4101 MosArt Semiconductor Corp. Wireless Keyboard/Mo
use
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

8x (0-7) occurences of the following WARNING:

[ 140.678756] usb 3-4: USB disconnect, device number 3
[ 145.995855] ------------[ cut here ]------------
[ 145.995863] dev interface is NULL in usb_ifnum_to_if
[ 145.995907] WARNING: CPU: 31 PID: 5617 at drivers/usb/core/usb.c:289
usb_ifnum_to_if+0x58/0x80

On Thu, Nov 12, 2020 at 7:25 PM Alan Stern <stern@...land.harvard.edu> wrote:
>
> On Thu, Nov 12, 2020 at 06:15:08PM +0000, John Boero wrote:
> > Then why does line 278 right below it check for NULL?
>
> Are you asking about line 278 in drivers/usb/core/usb.c?  The statement
> which says:
>
>         if (!config)
>                 return NULL;
>
> This is because it is perfectly valid for config to be NULL at this
> point.  But it is not valid for dev to be NULL.  If dev is NULL then
> there is a bug in the caller.
>
> Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ