| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f099be8f-0ae0-49c7-b0bc-02770d9c1210@rowland.harvard.edu> Date: Wed, 22 Jan 2025 10:59:33 -0500 From: Alan Stern <stern@...land.harvard.edu> To: Nikita Zhandarovich <n.zhandarovich@...tech.ru> Cc: Petko Manolov <petkan@...leusys.com>, Andrew Lunn <andrew+netdev@...n.ch>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, linux-usb@...r.kernel.org, netdev@...r.kernel.org, syzbot+d7e968426f644b567e31@...kaller.appspotmail.com, syzkaller-bugs@...glegroups.com, linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org Subject: Re: [PATCH net] net: usb: rtl8150: enable basic endpoint checking On Wed, Jan 22, 2025 at 05:20:12AM -0800, Nikita Zhandarovich wrote: > Hi, > > On 1/22/25 04:43, Petko Manolov wrote: > > On 25-01-22 02:42:46, Nikita Zhandarovich wrote: > >> Syzkaller reports [1] encountering a common issue of utilizing a wrong usb > >> endpoint type during URB submitting stage. This, in turn, triggers a warning > >> shown below. > > > > If these endpoints were of the wrong type the driver simply wouldn't work. Better not to bind at all than to bind in a non-working way. Especially when we can tell by a simple check that the device isn't what the driver expects. > > The proposed change in the patch doesn't do much in terms of fixing the issue > > (pipe 3 != type 1) and if usb_check_bulk_endpoints() fails, the driver will just > > not probe successfully. I don't see how this is an improvement to the current > > situation. It fixes the issue by preventing the driver from submitting an interrupt URB to a bulk endpoint or vice versa. > > We should either spend some time fixing the "BOGUS urb xfer, pipe 3 != type 1" > > for real or not touch anything. > > > > > > Petko > > > > > > Thank you for your answer, I had a couple thoughts though. > > If I understand correctly (which may not be the case, of course), since > the driver currently does not have any sanity checks for endpoints and > URBs' pipes are initialized essentially by fixed constants (as is often > the case), once again without any testing, then a virtual, weirdly > constructed device, like the one made up by Syzkaller, could provide > endpoints with contents that may cause that exact warning. > > Real-life devices (with appropriate eps) would still work well and are > in no danger, with or without the patch. And even if that warning is > triggered, I am not certain the consequences are that severe, maybe on > kernels with 'panic_on_warn' set, and that's another conversation. > However, it seems that the change won't hurt either. Failing probe() in > such situations looks to be the standard. > > If my approach is flawed, I'd really appreciate some hints on how you > would address that issue and I'd like to tackle it. I'd also ask if > other recipients could provide some of their views on the issue, even if > just to prove me wrong. I agree with this approach; it seems like the best way to address this issue. Alan Stern
Powered by blists - more mailing lists