lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b35e043d-a371-4cf9-b414-34ba72df1ccc@rowland.harvard.edu>
Date: Mon, 22 Jul 2024 09:38:49 -0400
From: Alan Stern <stern@...land.harvard.edu>
To: Chris Wulff <crwulff@...il.com>
Cc: linux-usb@...r.kernel.org,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Roy Luo <royluo@...gle.com>,
	Krishna Kurapati <quic_kriskura@...cinc.com>,
	Michael Grzeschik <m.grzeschik@...gutronix.de>,
	yuan linyu <yuanlinyu@...onor.com>,
	Paul Cercueil <paul@...pouillou.net>,
	Felipe Balbi <balbi@...nel.org>, linux-kernel@...r.kernel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH] usb: gadget: core: Check for unset descriptor

On Mon, Jul 22, 2024 at 09:00:07AM -0400, Chris Wulff wrote:
> On Sun, Jul 21, 2024 at 9:07 PM Alan Stern <stern@...land.harvard.edu> wrote:
> >
> > On Sun, Jul 21, 2024 at 03:20:49PM -0400, crwulff@...il.com wrote:
> > > From: Chris Wulff <crwulff@...il.com>
> > >
> > > Make sure the descriptor has been set before looking at maxpacket.
> > > This fixes a null pointer panic in this case.
> > >
> > > This may happen if the gadget doesn't properly set up the endpoint
> > > for the current speed, or the gadget descriptors are malformed and
> > > the descriptor for the speed/endpoint are not found.
> >
> > If that happens, doesn't it mean there's a bug in the gadget driver?
> > And if there's a bug, don't we want to be told about it by a big
> > impossible-to-miss error message, so the bug can be fixed?
> 
> Yes, this is an indicator of a problem in a gadget driver as was the
> previous check for a zero max packet size. In this case, the panic
> is in an interrupt context and it doesn't make it out to the console.
> This just results in a system freeze without this fix.
> 
> >
> > > Fixes: 54f83b8c8ea9 ("USB: gadget: Reject endpoints with 0 maxpacket value")
> > > Cc: stable@...r.kernel.org
> > > Signed-off-by: Chris Wulff <crwulff@...il.com>
> > > ---
> > >  drivers/usb/gadget/udc/core.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
> > > index 2dfae7a17b3f..36a5d5935889 100644
> > > --- a/drivers/usb/gadget/udc/core.c
> > > +++ b/drivers/usb/gadget/udc/core.c
> > > @@ -118,7 +118,7 @@ int usb_ep_enable(struct usb_ep *ep)
> > >               goto out;
> > >
> > >       /* UDC drivers can't handle endpoints with maxpacket size 0 */
> > > -     if (usb_endpoint_maxp(ep->desc) == 0) {
> > > +     if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) {
> > >               /*
> > >                * We should log an error message here, but we can't call
> > >                * dev_err() because there's no way to find the gadget
> >
> > This will just hide the error.  That's not good.
> 
> The previous check was also hiding the error, and introduced a panic.
> I could add a printk to that error case, though it would be unassociated
> with the gadget that caused the problem. This function does also return
> an error code when it fails, so the calling function can check that and
> print an error.

Okay.  It wouldn't hurt to print out an error message, even if there's 
no way to tell which gadget it refers to.  A dump_stack() would help in 
that regard, but it won't be needed if the guilty party will always be 
pretty obvious.

By the way, how did you manage to trigger this error?  None of the 
in-kernel gadget drivers are known to have this bug, and both the 
gadgetfs and raw_gadget drivers prevent userspace from doing it.  Were 
you testing a gadget driver that was under development?

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ