lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8bbc84ee-44c9-4a85-b5bf-3980b3c81e5c@rowland.harvard.edu>
Date: Sun, 20 Jul 2025 21:29:18 -0400
From: Alan Stern <stern@...land.harvard.edu>
To: Arnaud Lecomte <contact@...aud-lcm.com>
Cc: gregkh@...uxfoundation.org, linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org, viro@...iv.linux.org.uk,
	snovitoll@...il.com,
	syzbot+86b6d7c8bcc66747c505@...kaller.appspotmail.com,
	syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] usb: mon: Fix slab-out-of-bounds in mon_bin_event due to
 unsafe URB transfer_buffer access

On Sun, Jul 20, 2025 at 09:00:57PM +0100, Arnaud Lecomte wrote:
> The syzkaller fuzzer uncovered a kernel slab-out-of-bounds
>  write in the USB monitoring subsystem (mon_bin) when handling
>  a malformed URB (USB Request Block) with the following properties:
>  - transfer_buffer_length = 0xffff
>  - actual_length = 0x0 (no data transferred)
>  - number_of_packets = 0x0 (non-isochronous transfer)

This kind of problem is fixed not by changing the way mon_bin reacts to 
malformed URBs, but rather by correcting the code that creates the URBs 
in the first place so that they won't be malformed.

> When reaching the mon_copy_to_buff function,
>  we will try to copy into the mon rp bin with the following parameters:
> off=0xcc0, from=0xffff8880246df5e1 "", length=0xf000
> 
> At the first iteration, the step_len is 0x340 and it is during the mem_cpy
> that the slab-out-of-bounds happens.
> As step_len < transfer_buffer_length, we can deduce that it is related
>  to an issue with the transfer_buffer being invalid.
> The patch proposes a safe access to the kernel
>  kernel buffer urb->transfer_buffer with `copy_from_kernel_nofault`.
> 
> Reported-by: syzbot+86b6d7c8bcc66747c505@...kaller.appspotmail.com
> Fixes: 6f23ee1fefdc1 ("USB: add binary API to usbmon")
> Closes: https://syzkaller.appspot.com/bug?extid=86b6d7c8bcc66747c505
> Tested-by: syzbot+86b6d7c8bcc66747c505@...kaller.appspotmail.com
> Signed-off-by: Arnaud Lecomte <contact@...aud-lcm.com>
> ---

This is unnecessary.  The underlying cause of the problem was fixed by 
commit 0d0777ccaa2d ("HID: core: ensure __hid_request reserves the 
report ID as the first byte") in the HID tree.

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ