lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210824115006.a5zzgxjy6nwakdmg@lion.mk-sys.cz>
Date:   Tue, 24 Aug 2021 13:50:06 +0200
From:   Michal Kubecek <mkubecek@...e.cz>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     syzbot <syzbot+9b57a46bf1801ce2a2ca@...kaller.appspotmail.com>,
        benjamin.tissoires@...hat.com, jikos@...nel.org,
        linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-usb@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] WARNING in hid_submit_ctrl/usb_submit_urb

On Thu, Aug 19, 2021 at 03:53:00PM -0400, Alan Stern wrote:
> The following simplified variant of Michal's patch should fix the 
> problem.
> 
> Alan Stern
> 
> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 794c7931a242
> 
> Index: usb-devel/drivers/hid/usbhid/hid-core.c
> ===================================================================
> --- usb-devel.orig/drivers/hid/usbhid/hid-core.c
> +++ usb-devel/drivers/hid/usbhid/hid-core.c
> @@ -377,27 +377,23 @@ static int hid_submit_ctrl(struct hid_de
>  	len = hid_report_len(report);
>  	if (dir == USB_DIR_OUT) {
>  		usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0);
> -		usbhid->urbctrl->transfer_buffer_length = len;
>  		if (raw_report) {
>  			memcpy(usbhid->ctrlbuf, raw_report, len);
>  			kfree(raw_report);
>  			usbhid->ctrl[usbhid->ctrltail].raw_report = NULL;
>  		}
>  	} else {
> -		int maxpacket, padlen;
> +		int maxpacket;
>  
>  		usbhid->urbctrl->pipe = usb_rcvctrlpipe(hid_to_usb_dev(hid), 0);
>  		maxpacket = usb_maxpacket(hid_to_usb_dev(hid),
>  					  usbhid->urbctrl->pipe, 0);
> -		if (maxpacket > 0) {
> -			padlen = DIV_ROUND_UP(len, maxpacket);
> -			padlen *= maxpacket;
> -			if (padlen > usbhid->bufsize)
> -				padlen = usbhid->bufsize;
> -		} else
> -			padlen = 0;
> -		usbhid->urbctrl->transfer_buffer_length = padlen;
> +		len += (len == 0);	/* Don't allow 0-length reports */
> +		len = round_up(len, maxpacket);
> +		if (len > usbhid->bufsize)
> +			len = usbhid->bufsize;
>  	}
> +	usbhid->urbctrl->transfer_buffer_length = len;
>  	usbhid->urbctrl->dev = hid_to_usb_dev(hid);
>  
>  	usbhid->cr->bRequestType = USB_TYPE_CLASS | USB_RECIP_INTERFACE | dir;

I have also tested this patch on top of 5.14-rc7 on my system and it
does address the original issue (no error/warning messages in kernel log
and communication with the UPS works correctly). So if you are going to
submit the patch formally, feel free to use

Tested-by: Michal Kubecek <mkubecek@...e.cz>

Michal

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ