Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1123600imu; Fri, 4 Jan 2019 13:37:15 -0800 (PST) X-Google-Smtp-Source: ALg8bN7uvDWwu8jP10cJwRRHBDaoXCuNAMnoaGJiARzt6tFZXAZYxS/Sva2+tGfVFX92KUQkVU1U X-Received: by 2002:a17:902:2887:: with SMTP id f7mr50992708plb.176.1546637835554; Fri, 04 Jan 2019 13:37:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546637835; cv=none; d=google.com; s=arc-20160816; b=ZsmIJ/MQCIMqpaGFoVL31MxqySrDvwuF8qnKa9OWe62THPHwl72RI44W7mJHW1s4nY jjz3CmG4FK3TbJPtBoymaglKrMuL32vlmpR45PNhqePbWrvF6kxi9M+QSK8zdWrzIG4C Vdp2tEzq02Dsq5GPN+VXJEW46x+F5wnIGrK4hvCqEkioD5ZclYWomj+mWic9+pRyJve1 3+NCwbuwY1BMQ/j2p30nE5Lv+npLD6RtK2Jtb3N71+poSGWk7q2tyemTpVRMv4HSs9El 0VDgHZdQ5M40mvHP+RW8BPi4678w8kjiraQRirMybTJawMwDcso29Ynus56ppVXwXJVm qU6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=SFR7md/vz2eTzydlUKTapKHn4O0AuD+6g4E3NDSRiOg=; b=u4oKj+4YMlqdkIHEqo1ISLbsfyoFwUnod1nux0kHiFUZAfODieJZ8QqaQeYrW83Q9F RFvdafHP92iwnBOFZOapAhGIhpFRlsP5KkifW4RyoINVapnlwMk3vGmpeGy2QFwGSq/6 ocK05QkbkrkXpTze/AixrPFc9EGyKacVdSCvJTjPFexr4bMz8+Vf7KOVe5ECR1fplfJa G77G1tLDufSFguCd0jPE2QNiGbzXM5QBXlPKkLfjpwNL3PSvh214NXfOyencgucUbUDn qqm8cEvrQC/ODZV/tEBKS5Oi6nb6IoBBvQg832AH/rUZMgkGqtLDabiP4H1sSzxsyk/L Q5Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bhnCy0X0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k33si56218243pld.374.2019.01.04.13.37.00; Fri, 04 Jan 2019 13:37:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bhnCy0X0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726383AbfADVfQ (ORCPT + 99 others); Fri, 4 Jan 2019 16:35:16 -0500 Received: from mail-yb1-f193.google.com ([209.85.219.193]:40904 "EHLO mail-yb1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726235AbfADVfP (ORCPT ); Fri, 4 Jan 2019 16:35:15 -0500 Received: by mail-yb1-f193.google.com with SMTP id x201so11443042ybg.7; Fri, 04 Jan 2019 13:35:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=SFR7md/vz2eTzydlUKTapKHn4O0AuD+6g4E3NDSRiOg=; b=bhnCy0X0qp3xQ5OOSkg2LUDpg1zc5TkOco4F8xEVKpip+DJBHCNtlhNK7aOHlxRV3O BuOlBEYXXwtEF1MAXkOoK8OyzVj8fAf60gLteJN0dZ6FEo8bNUTAtIVJm1RF9QN7yzYR ACsQpRbr06Lam7nVsleDK1rSvYqTJ8nBazqnZFbt9Vxece7rX/X2zRNxg/UQ22XkSB3N NTc/JXqhh9boFFhEWoE4kJRDkhnWszD46s6bOugQYkxlXQqKBa3JeFFrhf2Uk+7+aR38 Gg1bbiJFQjByEGutsi0GGhdaJ02T0oeTiqQqjDHIwv8ZBsyVYNGDaM7epX+QMd60Q5Wq Offg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=SFR7md/vz2eTzydlUKTapKHn4O0AuD+6g4E3NDSRiOg=; b=YhoKTzed9L/xA5lauTWFlrPQmPrSMnix/wKWUI8HzCBgTBW2cR6+Qxldzbx0Uwtvmb IIxJrcepNGsYaucQKqSbM3hMFBoANdCdUt3ZJWPNQ9D0ojgk/aouyzbjMeDHmi4MSSto ZdFd5YYFMcLMHSBR8vYrXdf2ET/F44QRB9fTQ+l456axbFV8oK3+L5vrHgdHU90+Ben0 6gl8Cf6pcxjmfbkxNeSgDTnnv402ox6H3l/exuu5NWg82Yi997j0VyjJwkIYmTOE9oAn KCwanfziGKd/CPqYGmefZmhyHbYglNR8CV0jX9QxYztH+86KxlqGmbpWr92haHxYxUMd BeeQ== X-Gm-Message-State: AJcUukeGSWP6a8lYGKSRP26YWEFpLmt/G3jF2WZmxSbPbactDQWlOZmt vEebn1oqc5Axm/pHy5yipm8U9UKS+94SwIdVZfE= X-Received: by 2002:a5b:44:: with SMTP id e4mr9311448ybp.401.1546637713458; Fri, 04 Jan 2019 13:35:13 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Roderick Colenbrander Date: Fri, 4 Jan 2019 13:35:01 -0800 Message-ID: Subject: Re: NULL pointer dereference when writing fuzzed data to /dev/uhid To: Anatoly Trosinenko Cc: Benjamin Tissoires , Jiri Kosina , lkml , "open list:HID CORE LAYER" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks, it seems the tests created a Buzz controller. It is sony_led_init (called from sony_input_configured), which calls hid_validate_values. It is hid_validate_values, which is unhappy due to obviously corrupted reports. I'm not too familiar with hid_validate_values, but it seems to access a bunch of data structures on the HID device. The code probably makes some assumptions. Fixing this issue requires some more sanity checking, if it is worth it. Thanks, Roderick On Fri, Jan 4, 2019 at 9:04 AM Anatoly Trosinenko wrote: > > > Would you be able to share the sony.bin file? > Sent it in this message. > > > Did you inject a particular device? > If you are asking me, then no, I blindly send fuzzed data with a > simple (but quite large and not very meaningful) header. That time it > just turned out to be Sony-like descriptor :) > > Best regards > Anatoly > > =D0=BF=D1=82, 4 =D1=8F=D0=BD=D0=B2. 2019 =D0=B3. =D0=B2 19:38, Roderick C= olenbrander : > > > > > > For sony.bin: > > > > > > > > root@kvm-xfstests:~# cat /vtmp/sony.bin > /dev/uhid > > > > [ 16.891931] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.892432] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.892894] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.893362] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.893844] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.895389] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.898165] sony 0003:054C:1000.0001: ignoring exceeding usage m= ax > > > > [ 16.901190] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.903797] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.906401] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.908957] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.911449] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.913936] sony 0003:054C:1000.0001: unknown main item tag 0x1 > > > > [ 16.916551] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.918454] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.919743] sony 0003:054C:1000.0001: unknown main item tag 0x4 > > > > [ 16.920834] sony 0003:054C:1000.0001: unknown main item tag 0xe > > > > [ 16.921904] sony 0003:054C:1000.0001: unknown main item tag 0xe > > > > [ 16.923006] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.924082] sony 0003:054C:1000.0001: unknown main item tag 0x2 > > > > [ 16.925195] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.926289] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.927400] sony 0003:054C:1000.0001: unknown main item tag 0x0 > > > > [ 16.928546] BUG: unable to handle kernel NULL pointer dereferenc= e > > > > at 0000000000000028 > > > > [ 16.929951] #PF error: [normal kernel read fault] > > > > [ 16.930884] PGD 800000007a52b067 P4D 800000007a52b067 PUD 0 > > > > [ 16.931836] Oops: 0000 [#1] SMP PTI > > > > [ 16.932437] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted > > > > 4.20.0-xfstests-10979-g96d4f267e40 #1 > > > > [ 16.933752] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996= ), > > > > BIOS 1.11.1-1ubuntu1 04/01/2014 > > > > [ 16.935372] Workqueue: events uhid_device_add_worker > > > > [ 16.936321] RIP: 0010:hid_validate_values+0x48/0x110 > > > > > > In a sense, it's good to have a fault there because this was added to > > > make sure we do not blindly accept any data. The fact that it doesn't > > > fail gracefully is a sign that there is something else. > > > Maybe Roderick could have a look? > > > > > > Cheers, > > > Benjamin > > > > > > > Sure I can have a look. Would you be able to share the sony.bin file? > > Did you inject a particular device? We do a lot of remapping and > > processing in hid-sony at startup. It is probably related to that. > > > > Thanks, > > Roderick