lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+biD8AdKncmvqmaz3dytV-zoeo==rdkTSJvaZ9=RUs=UA@mail.gmail.com>
Date:   Mon, 12 Jul 2021 18:24:43 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     Johan Hovold <johan@...nel.org>,
        syzbot <syzbot+72af3105289dcb4c055b@...kaller.appspotmail.com>,
        gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
        linux-usb@...r.kernel.org, mathias.nyman@...ux.intel.com,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] WARNING in do_proc_control/usb_submit_urb

On Mon, 12 Jul 2021 at 18:14, Alan Stern <stern@...land.harvard.edu> wrote:
> > > > > Hello,
> > > > >
> > > > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > > > WARNING in do_proc_control/usb_submit_urb
> >
> > > > I don't get this.  It shouldn't be possible.  The fact that the
> > > > direction bit is set in both bRequestType and pipe means that the URB
> > > > was submitted as a control-IN but had length 0.  But the patch addresses
> > > > exactly that case:
> > > >
> > > > --- usb-devel.orig/drivers/usb/core/devio.c
> > > > +++ usb-devel/drivers/usb/core/devio.c
> > > > @@ -1133,7 +1133,7 @@ static int do_proc_control(struct usb_de
> > > >           "wIndex=%04x wLength=%04x\n",
> > > >           ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
> > > >           ctrl->wIndex, ctrl->wLength);
> > > > - if (ctrl->bRequestType & 0x80) {
> > > > + if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) {
> > > >           pipe = usb_rcvctrlpipe(dev, 0);
> > > >           snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
> > > >
> > > > and causes the kernel to handle it as a control-OUT instead.
> > > >
> > > > Johan, any ideas?
> > >
> > > Did syzbot actually test the patch? I can't see how the direction bit of
> > > the pipe argument can be set with the above applied either.
> >
> > It looks like the second patch you submitted was hand-edited and still
> > quoted.
> >
> > And looking at the dashboard it seems like no patch was applied for your
> > second test attempt:
> >
> >       https://syzkaller.appspot.com/bug?extid=72af3105289dcb4c055b
>
> Yes, that explains it.  Funny how easy it is to miss those "> "
> markings -- you just get too used to them.
>
> > I've been bitten by something like this before when erroneously thinking
> > that a test command could be submitted as a reply to a patch.
> >
> > Perhaps the report mail could include the patch tested or something so
> > we don't spend time investigating syzbot interface failures.
>
> Good idea.

The email always include the patch tested (as syzbot parsed it), see
e.g. earlier reply in this thread:
https://lore.kernel.org/lkml/00000000000074f06705c6ccd2a4@google.com/



> Anyway, here's the patch again, this time properly formatted.  Hopefully
> now it will work.

syzbot parsed this patch successfully:
https://syzkaller.appspot.com/bug?extid=72af3105289dcb4c055b



> Alan Stern
>
>
> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git ee268dee
>
> Index: usb-devel/drivers/usb/core/devio.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/devio.c
> +++ usb-devel/drivers/usb/core/devio.c
> @@ -1133,7 +1133,7 @@ static int do_proc_control(struct usb_de
>                 "wIndex=%04x wLength=%04x\n",
>                 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
>                 ctrl->wIndex, ctrl->wLength);
> -       if (ctrl->bRequestType & 0x80) {
> +       if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) {
>                 pipe = usb_rcvctrlpipe(dev, 0);
>                 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20210712161445.GA321728%40rowland.harvard.edu.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ