| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250123094930.GG4145@bender.k.g> Date: Thu, 23 Jan 2025 11:49:30 +0200 From: Petko Manolov <petkan@...leusys.com> To: Alan Stern <stern@...land.harvard.edu> Cc: Nikita Zhandarovich <n.zhandarovich@...tech.ru>, Andrew Lunn <andrew+netdev@...n.ch>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, linux-usb@...r.kernel.org, netdev@...r.kernel.org, syzbot+d7e968426f644b567e31@...kaller.appspotmail.com, syzkaller-bugs@...glegroups.com, linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org Subject: Re: [PATCH net] net: usb: rtl8150: enable basic endpoint checking On 25-01-22 10:59:33, Alan Stern wrote: > On Wed, Jan 22, 2025 at 05:20:12AM -0800, Nikita Zhandarovich wrote: > > Hi, > > > > On 1/22/25 04:43, Petko Manolov wrote: > > > On 25-01-22 02:42:46, Nikita Zhandarovich wrote: > > >> Syzkaller reports [1] encountering a common issue of utilizing a wrong usb > > >> endpoint type during URB submitting stage. This, in turn, triggers a warning > > >> shown below. > > > > > > If these endpoints were of the wrong type the driver simply wouldn't work. > > Better not to bind at all than to bind in a non-working way. Especially when > we can tell by a simple check that the device isn't what the driver expects. > > > > The proposed change in the patch doesn't do much in terms of fixing the > > > issue (pipe 3 != type 1) and if usb_check_bulk_endpoints() fails, the > > > driver will just not probe successfully. I don't see how this is an > > > improvement to the current situation. > > It fixes the issue by preventing the driver from submitting an interrupt URB > to a bulk endpoint or vice versa. I always thought that once DID/VID is verified, there's no much room for that to happen. > > > We should either spend some time fixing the "BOGUS urb xfer, pipe 3 != > > > type 1" for real or not touch anything. > > > > > > > > > Petko > > > > > > > > > > Thank you for your answer, I had a couple thoughts though. > > > > If I understand correctly (which may not be the case, of course), since the > > driver currently does not have any sanity checks for endpoints and URBs' > > pipes are initialized essentially by fixed constants (as is often the case), > > once again without any testing, then a virtual, weirdly constructed device, > > like the one made up by Syzkaller, could provide endpoints with contents > > that may cause that exact warning. > > > > Real-life devices (with appropriate eps) would still work well and are in no > > danger, with or without the patch. And even if that warning is triggered, I > > am not certain the consequences are that severe, maybe on kernels with > > 'panic_on_warn' set, and that's another conversation. However, it seems that > > the change won't hurt either. Failing probe() in such situations looks to be > > the standard. > > > > If my approach is flawed, I'd really appreciate some hints on how you would > > address that issue and I'd like to tackle it. I'd also ask if other > > recipients could provide some of their views on the issue, even if just to > > prove me wrong. > > I agree with this approach; it seems like the best way to address this issue. Alright then. I'd recommend following Fedor Pchelkin's advise about moving those declarations to the beginning of probe(), though. Petko
Powered by blists - more mailing lists