| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2023062945-fencing-pebble-0411@gregkh>
Date: Thu, 29 Jun 2023 17:36:51 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Kees Cook <keescook@...omium.org>
Cc: llvm@...ts.linux.dev, linux-kbuild@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org,
Borislav Petkov <bp@...en8.de>, linux-usb@...r.kernel.org
Subject: UBSAN spat in valid xhci code in Linus's current tree (6.4+)
Hi Kees.
Boris just reported to me a UBSAN splat in the USB xhci driver in
Linus's tree that wasn't present in 6.4-final, and given that no USB
changes are merged yet there, I was confused.
Turns out, I think you all missed a "variable length" structure in the
xhci driver, which UBSAN is calling out a being an overrun, when really
it isn't (it's just written that way...)
The splat is:
UBSAN: array-index-out-of-bounds in drivers/usb/host/xhci-hub.c:231:31
index 1 is out of range for type '__le32 [1]'
CPU: 0 PID: 1556 Comm: kworker/0:2 Not tainted 6.4.0+ #7
And yes, the code there:
ssp_cap->bmSublinkSpeedAttr[offset++] = cpu_to_le32(attr);
is accessing the ssp_cap->bmSublinkSpeedAttr field with is declared as:
_le32 bmSublinkSpeedAttr[1]; /* list of sublink speed attrib entries */
in include/uapi/linux/usb/ch9.h
So perhaps 2d47c6956ab3 ("ubsan: Tighten UBSAN_BOUNDS on GCC") should be
reverted for now? Or this field fixed up to properly be marked as a
variable length array of at least one entry?
thanks,
greg k-h
Powered by blists - more mailing lists