lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 27 Feb 2024 08:10:15 +0530
From: Krishna Kurapati PSSNV <quic_kriskura@...cinc.com>
To: Maciej Żenczykowski <maze@...gle.com>
CC: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        <linux-usb@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <quic_ppratap@...cinc.com>, <quic_wcheng@...cinc.com>,
        <quic_jackp@...cinc.com>
Subject: Re: [RFC PATCH] usb: gadget: ncm: Fix handling of zero block length
 packets



On 2/27/2024 3:26 AM, Maciej Żenczykowski wrote:
> On Mon, Feb 26, 2024 at 3:28 AM Krishna Kurapati
> <quic_kriskura@...cinc.com> wrote:
>>
>> While connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX
>> set to 65536, it has been observed that we receive short packets,
>> which come at interval of 5-10 seconds sometimes and have block
>> length zero but still contain 1-2 valid datagrams present.
>>
>> According to the NCM spec:
>>
>> "If wBlockLength = 0x0000, the block is terminated by a
>> short packet. In this case, the USB transfer must still
>> be shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If
>> exactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,
>> and the size is a multiple of wMaxPacketSize for the
>> given pipe, then no ZLP shall be sent.
>>
>> wBlockLength= 0x0000 must be used with extreme care, because
>> of the possibility that the host and device may get out of
>> sync, and because of test issues.
>>
>> wBlockLength = 0x0000 allows the sender to reduce latency by
>> starting to send a very large NTB, and then shortening it when
>> the sender discovers that there’s not sufficient data to justify
>> sending a large NTB"
>>
>> However, there is a potential issue with the current implementation,
>> as it checks for the occurrence of multiple NTBs in a single
>> giveback by verifying if the leftover bytes to be processed is zero
>> or not. If the block length reads zero, we would process the same
>> NTB infintely because the leftover bytes is never zero and it leads
>> to a crash. Fix this by bailing out if block length reads zero.
>>
>> Fixes: 427694cfaafa ("usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call")
>> Signed-off-by: Krishna Kurapati <quic_kriskura@...cinc.com>
>> ---
>>
>> PS: Although this issue was seen after CDC_NCM_NTB_DEF_SIZE_TX
>> was modified to 64K on host side, I still believe this
>> can come up at any time as per the spec. Also I assumed
>> that the giveback where block length is zero, has only
>> one NTB and not multiple ones.
>>
>>   drivers/usb/gadget/function/f_ncm.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c
>> index e2a059cfda2c..355e370e5140 100644
>> --- a/drivers/usb/gadget/function/f_ncm.c
>> +++ b/drivers/usb/gadget/function/f_ncm.c
>> @@ -1337,6 +1337,9 @@ static int ncm_unwrap_ntb(struct gether *port,
>>          VDBG(port->func.config->cdev,
>>               "Parsed NTB with %d frames\n", dgram_counter);
>>
>> +       if (block_len == 0)
>> +               goto done;
>> +
>>          to_process -= block_len;
>>
>>          /*
>> @@ -1351,6 +1354,7 @@ static int ncm_unwrap_ntb(struct gether *port,
>>                  goto parse_ntb;
>>          }
>>
>> +done:
>>          dev_consume_skb_any(skb);
>>
>>          return 0;
>> --
>> 2.34.1
>>
> 
> In general this is of course fine (though see Greg's auto-complaint).
> 
> I haven't thought too much about this, but I just wonder whether the
> check for block_len == 0
> shouldn't be just after block_len is read, ie. somewhere just after:
> 
> block_len = get_ncm(&tmp, opts->block_length);
> 
> as it is kind of weird to be handling block_len == 0 at the point where
> you are already theoretically done processing the block...
> 
> I guess, as is, this assumes the block isn't actually of length 0,
> since there's a bunch of following get_ncm() calls...
> Are those guaranteed to be valid?
> 

I did get this doubt and tried it. I bailed out as soon as I found out 
block len is zero without actually processing the datagrams present and 
when I did that even ping doesn't work. Everything works only when the 
datagrams in this zero block len NTB are parsed properly.

> I guess I don't actually see the infinite loop with block_len == 0,
> since get_ncm() always moves us forward...
> 

The infinite loop occurs because we keep moving the buffer pointer 
forward and keep processing the giveback until to_process variable 
becomes zero or one. In case block length is zero, we never move the 
buffer pointer forward and never reduce to_process variable and hence 
keep infinitely processing the same NTB over and over again.

> Maybe your patch *is* correct as is, and you just need a comment
> explaining *why* block_len == 0 is terminal at the spot you're adding the check.
> 
> Also couldn't you fix this without goto, by changing
> 
>    } else if (to_process > 0) {
> to
>    } else if (to_process && block_len) {
>      // See NCM spec.  zero block_len means short packet.
> 

I will test this out once (although I know that looking at it, it would 
definitely work) and send v2 with this diff.

Thanks for the review.

Regards,
Krishna,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ