lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z-QjIRoOWpoWaL6l@shikoro>
Date: Wed, 26 Mar 2025 16:54:09 +0100
From: Wolfram Sang <wsa+renesas@...g-engineering.com>
To: Alan Stern <stern@...land.harvard.edu>
Cc: syzbot <syzbot+c38e5e60d0041a99dbf5@...kaller.appspotmail.com>,
	gregkh@...uxfoundation.org, linux-i2c@...r.kernel.org,
	linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH v2] media: dvb: usb: Fix WARNING in
 dib0700_i2c_xfer/usb_submit_urb

On Wed, Mar 26, 2025 at 11:28:19AM -0400, Alan Stern wrote:
> The syzbot fuzzer reported a WARNING related to the dib0700 dvb-usb
> driver:
> 
> usb 1-1: BOGUS control dir, pipe 80000f80 doesn't match bRequestType c0
> WARNING: CPU: 1 PID: 5901 at drivers/usb/core/urb.c:413 usb_submit_urb+0x11d9/0x18c0 drivers/usb/core/urb.c:411
> ...
> Call Trace:
>  <TASK>
>  usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59
>  usb_internal_control_msg drivers/usb/core/message.c:103 [inline]
>  usb_control_msg+0x2b1/0x4c0 drivers/usb/core/message.c:154
>  dib0700_ctrl_rd drivers/media/usb/dvb-usb/dib0700_core.c:95 [inline]
>  dib0700_i2c_xfer_legacy drivers/media/usb/dvb-usb/dib0700_core.c:315 [inline]
>  dib0700_i2c_xfer+0xc53/0x1060 drivers/media/usb/dvb-usb/dib0700_core.c:361
>  __i2c_transfer+0x866/0x2220
>  i2c_transfer+0x271/0x3b0 drivers/i2c/i2c-core-base.c:2315
>  i2cdev_ioctl_rdwr+0x452/0x710 drivers/i2c/i2c-dev.c:306
>  i2cdev_ioctl+0x759/0x9f0 drivers/i2c/i2c-dev.c:467
>  vfs_ioctl fs/ioctl.c:51 [inline]
> 
> Evidently the fuzzer submitted an I2C transfer containing a length-0
> read message.  The dib0700 driver translated this more or less
> literally into a length-0 USB read request.  But the USB protocol does
> not allow reads to have length 0; all length-0 transfers are
> considered to be writes.  Hence the WARNING above.
> 
> Fix the problem by adding the I2C_AQ_NO_ZERO_LEN_READ adapter quirk
> flag to all the USB I2C adapter devices managed by dvb-usb-i2c.c,
> following Wolfram Sang's suggestion.  This tells the I2C core not to
> allow length-0 read messages.
> 
> Reported-by: syzbot+c38e5e60d0041a99dbf5@...kaller.appspotmail.com
> Tested-by: syzbot+c38e5e60d0041a99dbf5@...kaller.appspotmail.com
> Suggested-by: Wolfram Sang <wsa+renesas@...g-engineering.com>
> Signed-off-by: Alan Stern <stern@...land.harvard.edu>
> Link: https://lore.kernel.org/linux-usb/67e1a1f5.050a0220.a7ebc.0029.GAE@google.com/

Reviewed-by: Wolfram Sang <wsa+renesas@...g-engineering.com>

Thanks for taking care of it!


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ