lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YKeAonwHduV8I+NW@kroah.com>
Date:   Fri, 21 May 2021 11:42:58 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Hayes Wang <hayeswang@...ltek.com>
Cc:     kuba@...nel.org, davem@...emloft.net, netdev@...r.kernel.org,
        nic_swsd@...ltek.com, linux-kernel@...r.kernel.org,
        linux-usb@...r.kernel.org,
        syzbot+95afd23673f5dd295c57@...kaller.appspotmail.com
Subject: Re: [PATCH net] r8152: check the informaton of the device

On Fri, May 21, 2021 at 05:07:34PM +0800, Hayes Wang wrote:
> Verify some fields of the USB descriptor to make sure the driver
> could be used by the device.
> 
> BugLink: https://syzkaller.appspot.com/bug?id=912c9c373656996801b4de61f1e3cb326fe940aa
> Reported-by: syzbot+95afd23673f5dd295c57@...kaller.appspotmail.com
> Fixes: c2198943e33b ("r8152: search the configuration of vendor mode")
> Signed-off-by: Hayes Wang <hayeswang@...ltek.com>
> ---
>  drivers/net/usb/r8152.c | 71 +++++++++++++++++++++++++++++++++++++++--
>  1 file changed, 69 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
> index 136ea06540ff..f348350f5da1 100644
> --- a/drivers/net/usb/r8152.c
> +++ b/drivers/net/usb/r8152.c
> @@ -8107,6 +8107,69 @@ static void r8156b_init(struct r8152 *tp)
>  	tp->coalesce = 15000;	/* 15 us */
>  }
>  
> +static bool rtl_check_vendor_ok(struct usb_interface *intf)
> +{
> +	struct usb_host_interface *alt = intf->cur_altsetting;
> +	struct usb_host_endpoint *in = NULL, *out = NULL, *intr = NULL;
> +	unsigned int ep;
> +
> +	if (alt->desc.bNumEndpoints < 3) {
> +		dev_err(&intf->dev, "Unexpected bNumEndpoints %d\n", alt->desc.bNumEndpoints);
> +		return false;
> +	}
> +
> +	for (ep = 0; ep < alt->desc.bNumEndpoints; ep++) {
> +		struct usb_host_endpoint *e;
> +
> +		e = alt->endpoint + ep;
> +
> +		/* ignore endpoints which cannot transfer data */
> +		if (!usb_endpoint_maxp(&e->desc))
> +			continue;
> +
> +		switch (e->desc.bmAttributes) {
> +		case USB_ENDPOINT_XFER_INT:
> +			if (!usb_endpoint_dir_in(&e->desc))
> +				continue;
> +			if (!intr)
> +				intr = e;
> +			break;
> +		case USB_ENDPOINT_XFER_BULK:
> +			if (usb_endpoint_dir_in(&e->desc)) {
> +				if (!in)
> +					in = e;
> +			} else if (!out) {
> +				out = e;
> +			}
> +			break;
> +		default:
> +			continue;
> +		}
> +	}
> +
> +	if (!in || !out || !intr) {
> +		dev_err(&intf->dev, "Miss Endpoints\n");
> +		return false;
> +	}
> +
> +	if ((in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK) != 1) {
> +		dev_err(&intf->dev, "Invalid Rx Endpoints\n");
> +		return false;
> +	}
> +
> +	if ((out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK) != 2) {
> +		dev_err(&intf->dev, "Invalid Tx Endpoints\n");
> +		return false;
> +	}
> +
> +	if ((intr->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK) != 3) {
> +		dev_err(&intf->dev, "Invalid interrupt Endpoints\n");
> +		return false;
> +	}
> +
> +	return true;
> +}

We have a USB core function that does all of the above for you, why not
use that instead?

Look at usb_find_common_endpoints() and
usb_find_common_endpoints_reverse() and at the very least
usb_find_bulk_in_endpoint() and related functions.  Please don't
open-code this type of logic, it's easy to get things wrong.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ