lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87zjn3z6d5.fsf@nemi.mork.no>
Date:	Sat, 11 Jan 2014 01:53:26 +0100
From:	Bjørn Mork <bjorn@...k.no>
To:	Thomas Kear <thomas@...r.co.nz>
Cc:	Ben Hutchings <bhutchings@...arflare.com>,
	netdev <netdev@...r.kernel.org>, linux-usb@...r.kernel.org
Subject: Re: PROBLEM: usbnet / ax88179_178a: Panic in usb_hcd_map_urb_for_dma

Thomas Kear <thomas@...r.co.nz> writes:

> On Sat, Jan 11, 2014 at 11:09 AM, Bjørn Mork <bjorn@...k.no> wrote:
>> But looking at the code I think I found and obvious miss in the SG list
>> initialisation.  I'll post a proposed fix for that.  Would be good if
>> someone was able to test it.
>
> I've built 3.13.0-rc7-next-20140110 with your patch applied.
> Unfortunately since this bug has taken anywhere from minutes to days
> to manifest previously I'm not sure how quickly I'll be able to report
> on its efficacy.

Thanks for testing it. 

If I'm correct, then your problem is caused by usbnet incrementing
urb->num_sgs above the value sg_init_table was called with. This happens
if usbnet adds padding to a fragmented skb.  Unfortunately I have no
idea how you can create fragmented skbs with a certain length.  But I'm
sure others here know?

This bug in usbnet makes usb_hcd_map_urb_for_dma() call dma_map_sg()
with nents set past an entry with the SG chain termination bit set. This
bit makes the call to sg_next return NULL, even if there is another non
NULL entry in the list.  So when dma_map_sg does

        for_each_sg(sg, s, nents, i)
                kmemcheck_mark_initialized(sg_virt(s), s->length);

it ends up dereferencing NULL.

> I currently have the adapter plugged in through a 4-port USB3 hub
> (2109:0811, which appears to be a VIA chip) but I will test it
> directly attached to the laptop too.

I don't think that should matter.


Bjørn
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ