lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <48283487-cbd6-4869-b5ca-70a30d6190e7@linux.intel.com>
Date: Fri, 20 Dec 2024 14:47:49 +0200
From: Mathias Nyman <mathias.nyman@...ux.intel.com>
To: Michal Pecio <michal.pecio@...il.com>,
 Mathias Nyman <mathias.nyman@...el.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] usb: xhci: Fix NULL pointer dereference on certain
 command aborts

On 19.12.2024 22.55, Michal Pecio wrote:
> If a command is queued to the final usable TRB of a ring segment, the
> enqueue pointer is advanced to the subsequent link TRB and no further.
> If the command is later aborted, when the abort completion is handled
> the dequeue pointer is advanced to the first TRB of the next segment.
> 
> If no further commands are queued, xhci_handle_stopped_cmd_ring() sees
> the ring pointers unequal and assumes that there is a pending command,
> so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.

Nice catch.

That enqueue-dequeue pointer comparison should probably be changed to
checking cmd_list directly. We do use list_empty() and list_is_singular()
in other places

But that would be a separate cleanup later.

> 
> Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell
> ring likely is unnecessary too, but it's harmless. Leave it alone.
> 
> This is probably Bug 219532, but no confirmation has been received.
> 
> The issue has been independently reproduced and confirmed fixed using
> a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.
> Everything continued working normally after several prevented crashes.
> 
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=219532
> Fixes: c311e391a7ef ("xhci: rework command timeout and cancellation,")
> CC: stable@...r.kernel.org
> Signed-off-by: Michal Pecio <michal.pecio@...il.com>
> ---

Adding to queue

Thanks
-Mathias

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ