| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250226233815.46d2f053@foxbook> Date: Wed, 26 Feb 2025 23:38:15 +0100 From: MichaĆ Pecio <michal.pecio@...il.com> To: Mathias Nyman <mathias.nyman@...el.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: Niklas Neronin <niklas.neronin@...ux.intel.com>, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v3 1/5] usb: xhci: Don't skip on Stopped - Length Invalid On Wed, 26 Feb 2025 08:02:55 +0100, Michal Pecio wrote: > After d56b0b2ab142, TDs are immediately skipped when handling those > Stopped events. This poses a potential problem in case of Stopped - > Length Invalid, which occurs either on completed TDs (likely already > given back) or Link and No-Op TRBs. Such event won't be recognized > as matching any TD (unless it's the rare Link TRB inside a TD) and > will result in skipping all pending TDs, giving them back possibly > before they are done, risking isoc data loss and maybe UAF by HW. Actually, Stopped and Stopped - Short Packet may be unsafe too. As far as I understand, one of those (depending on SPC capability) can occur on the second TRB of a TD whose first TRB completed with Short Packet. Then the TD is already given back and removed from td_list, so no match will be found with this Stopped event. I suspect this is the reason why the driver has a policy to silently ignore Stopped events which don't match the pending TD, and not only Stopped - Length Invalid. Not sure why Stopped - Short Packet isn't also ignored and yet apparently doesn't cause problems.
Powered by blists - more mailing lists