lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <0a063f6a-cce7-4a78-99e4-7069e37ab3d9@rowland.harvard.edu>
Date: Thu, 23 Jan 2025 10:11:49 -0500
From: Alan Stern <stern@...land.harvard.edu>
To: Petko Manolov <petkan@...leusys.com>
Cc: Nikita Zhandarovich <n.zhandarovich@...tech.ru>,
	Andrew Lunn <andrew+netdev@...n.ch>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	linux-usb@...r.kernel.org, netdev@...r.kernel.org,
	syzbot+d7e968426f644b567e31@...kaller.appspotmail.com,
	syzkaller-bugs@...glegroups.com, linux-kernel@...r.kernel.org,
	lvc-project@...uxtesting.org
Subject: Re: [PATCH net] net: usb: rtl8150: enable basic endpoint checking

On Thu, Jan 23, 2025 at 11:49:30AM +0200, Petko Manolov wrote:
> On 25-01-22 10:59:33, Alan Stern wrote:
> > On Wed, Jan 22, 2025 at 05:20:12AM -0800, Nikita Zhandarovich wrote:
> > > Hi,
> > > 
> > > On 1/22/25 04:43, Petko Manolov wrote:
> > > > On 25-01-22 02:42:46, Nikita Zhandarovich wrote:
> > > >> Syzkaller reports [1] encountering a common issue of utilizing a wrong usb
> > > >> endpoint type during URB submitting stage. This, in turn, triggers a warning
> > > >> shown below.
> > > > 
> > > > If these endpoints were of the wrong type the driver simply wouldn't work.
> > 
> > Better not to bind at all than to bind in a non-working way.  Especially when
> > we can tell by a simple check that the device isn't what the driver expects.
> > 
> > > > The proposed change in the patch doesn't do much in terms of fixing the
> > > > issue (pipe 3 != type 1) and if usb_check_bulk_endpoints() fails, the
> > > > driver will just not probe successfully.  I don't see how this is an
> > > > improvement to the current situation.
> > 
> > It fixes the issue by preventing the driver from submitting an interrupt URB
> > to a bulk endpoint or vice versa.
> 
> I always thought that once DID/VID is verified, there's no much room for that to
> happen.

Unfortunately that's not so, for two reasons.  First, the vendor may 
change the device's design without updating the Product or Device ID, 
and second, a malicious device may spoof the VID, PID, and DID values.  
(Or, as in this case, a fuzzer may try to fool the driver.)

> Alright then.  I'd recommend following Fedor Pchelkin's advise about moving
> those declarations to the beginning of probe(), though.

Agreed.

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ