lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250902104630.6a9f088a.michal.pecio@gmail.com>
Date: Tue, 2 Sep 2025 10:46:30 +0200
From: MichaƂ Pecio <michal.pecio@...il.com>
To: "David Wang" <00107082@....com>
Cc: "Mathias Nyman" <mathias.nyman@...ux.intel.com>,
 WeitaoWang-oc@...oxin.com, gregkh@...uxfoundation.org,
 linux-usb@...r.kernel.org, regressions@...ts.linux.dev,
 linux-kernel@...r.kernel.org, surenb@...gle.com, kent.overstreet@...ux.dev
Subject: Re: [PATCH] usb: xhci: Fix xhci_free_virt_devices_depth_first()

On Tue, 2 Sep 2025 16:30:48 +0800 (CST), David Wang wrote:
> About the change from "<" to "<=", I did not observe any difference on my system. Is it because my system does not use up all slots?

This too, you would need to fiddle with devices (or connect enough
of them) to reach Slot ID 255 (probably the highest on most systems),
depending on the xHCI controller and its ID allocation policy.

But also as explained, this bug doesn't make things go boom just yet.

Except if combined with your bug in an obscure edge case:

1. A high speed hub has slot ID HCS_MAX_SLOTS-1 and some TT children.
2. Another high speed hub has slot ID HCS_MAX_SLOTS.
3. We start with freeing the second hub.
4. The loop is entered and leaves vdev pointing at the first hub.
5. The first hub is freed instead of the second one.
6. Then its children are freed and UAF its tt_info.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ