| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250316151319.1310765-1-kovalev@altlinux.org>
Date: Sun, 16 Mar 2025 18:13:19 +0300
From: Vasiliy Kovalev <kovalev@...linux.org>
To: Dmitry Torokhov <dmitry.torokhov@...il.com>,
Erick Archer <erick.archer@...look.com>,
Xing Wei <weixing@...wang.com.cn>,
Jiri Kosina <jikos@...nel.org>,
linux-input@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: lvc-project@...uxtesting.org,
kovalev@...linux.org
Subject: [PATCH] Input: hanwang - require Interrupt IN endpoint
Fix binding to compromised USB devices using non-Interrupt endpoint
(e.g., Bulk), which can trigger a system crash with panic_on_warn
enabled. Replace endpoint count check with usb_find_int_in_endpoint()
to enforce Interrupt IN.
Syzbot report:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 2827 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 0 UID: 0 PID: 2827 Comm: acpid Not tainted 6.14.0-rc3-syzkaller-00071-gb331a3d8097f #0
Call Trace:
<TASK>
hanwang_open+0xa8/0xf0 drivers/input/tablet/hanwang.c:284
input_open_device+0x230/0x390 drivers/input/input.c:600
evdev_open+0x52d/0x690 drivers/input/evdev.c:478
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6cb/0x1390 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Found by Linux Verification Center (linuxtesting.org) with
"USB Gadget Tests" [1]:
$ make input-tab-hanwang
$ sudo ./src/input-tab-hanwang/input-tab-hanwang --invalid_ep_int_type
Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets")
Cc: stable@...r.kernel.org
[1] Link: https://github.com/kovalev0/usb-gadget-tests
Reported-by: syzbot+9fe8f6caeb5661802ca2@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9fe8f6caeb5661802ca2
Signed-off-by: Vasiliy Kovalev <kovalev@...linux.org>
---
drivers/input/tablet/hanwang.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/input/tablet/hanwang.c b/drivers/input/tablet/hanwang.c
index 42c1e5eaddd50..7315bee4f3fe7 100644
--- a/drivers/input/tablet/hanwang.c
+++ b/drivers/input/tablet/hanwang.c
@@ -319,8 +319,11 @@ static int hanwang_probe(struct usb_interface *intf, const struct usb_device_id
int error;
int i;
- if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+ if (usb_find_int_in_endpoint(intf->cur_altsetting,
+ &endpoint) != 0) {
+ dev_err(&intf->dev, "int in endpoint not found\n");
return -ENODEV;
+ }
hanwang = kzalloc(sizeof(*hanwang), GFP_KERNEL);
input_dev = input_allocate_device();
@@ -387,7 +390,6 @@ static int hanwang_probe(struct usb_interface *intf, const struct usb_device_id
input_set_abs_params(input_dev, ABS_PRESSURE,
0, hanwang->features->max_pressure, 0, 0);
- endpoint = &intf->cur_altsetting->endpoint[0].desc;
usb_fill_int_urb(hanwang->irq, dev,
usb_rcvintpipe(dev, endpoint->bEndpointAddress),
hanwang->data, hanwang->features->pkg_len,
--
2.42.2
Powered by blists - more mailing lists