Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp484280ybi; Fri, 24 May 2019 06:56:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqzUYeGCBoBfEcHx9wN4bWmWpfmG3QKSpRzhg8i/vd++98kirV4L7ot3leOuH55Km5U5veCm X-Received: by 2002:aa7:9ac4:: with SMTP id x4mr112067150pfp.43.1558706195099; Fri, 24 May 2019 06:56:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558706195; cv=none; d=google.com; s=arc-20160816; b=hSsoYJDjukGJ4qeYjIyjnKNutUV9evPRtDgSw0Tcq43mExbnNgZjFlXAcStBqMk1vb CG7rtUgZ/iTArWOSWCCI9/5pDZXdtYNLmQuyKbrjl8Sz9TAl1YB5/+71UCkhH8mnwlVZ HWrkU4JxpU8FGoWNEFBgpdyWBn0JjbsXHLLICXyS9LHzT5xlIh2Rhz5yWKgJhIJXk0wr WYbetpDH4RVkosiO7t+sbVMKWsK4Lnx8TiCecUG+u2MPvxLD1BngSNVqb8XM+1DyFKHY myEYUQFoOfTu5r7ts5BviiwaRhm3wkQ/i+WhmcbHTKc4v+OUDKLmmVE/azIQ61MWuO9K au6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=0Tm531Xgztl4Otcw8WF8YR7wM1w0EpweR5MGpFNgWBk=; b=eEw+uW75XdlhU0+FtGTi6RjM7TM1QGbGu6eQ3Rnvgak42KZyX9ZNsILOmepgWUJpTe ChowCvpNoR74zdmLflBV9sopINyUgsz6KRigQnwclPjYJz5QTQme5DmFkdVclL9AM5vZ 4Kgvdq42Wz0Kh2WsfyxL5hQSj9ogdbNBRs5gT/3eCmWjqh4RI5uJaxeH0IPapNRScigV l7Qq6/dov2ytxAEUcr8jiLPItFBI82QSHUMTGTTKikITS0x52C/3s32fKxgmH4cCroxf Io7Ts3s6loEdOA4F+shw0OTXlvqs+1Rwe7zl+XrR08yD9kXG71WpsqIE3NjL4yI6j5n0 NY8A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v20si4059199pjr.70.2019.05.24.06.56.18; Fri, 24 May 2019 06:56:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403938AbfEXNyD (ORCPT + 99 others); Fri, 24 May 2019 09:54:03 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:36642 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S2403873AbfEXNyD (ORCPT ); Fri, 24 May 2019 09:54:03 -0400 Received: (qmail 1597 invoked by uid 2102); 24 May 2019 09:54:02 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 May 2019 09:54:02 -0400 Date: Fri, 24 May 2019 09:54:02 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Mauro Carvalho Chehab , Greg KH cc: andreyknvl@google.com, Kernel development list , , USB list , , Subject: Re: [PATCH] media: usb: siano: Fix general protection fault in smsusb In-Reply-To: <20190524103540.250a69e7@coco.lan> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 24 May 2019, Mauro Carvalho Chehab wrote: > Em Tue, 7 May 2019 12:39:47 -0400 (EDT) > Alan Stern escreveu: > > > The syzkaller USB fuzzer found a general-protection-fault bug in the > > smsusb part of the Siano DVB driver. The fault occurs during probe > > because the driver assumes without checking that the device has both > > IN and OUT endpoints and the IN endpoint is ep1. > > > > By slightly rearranging the driver's initialization code, we can make > > the appropriate checks early on and thus avoid the problem. If the > > expected endpoints aren't present, the new code safely returns -ENODEV > > from the probe routine. > > > > Signed-off-by: Alan Stern > > Reported-and-tested-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com > > CC: > Patch looks correct, and I'm applying it. It exposes another potential > problem though: what happens if sizeof(desc.wMaxPacketSize) < sizeof(struct sms_msg_hdr)? > > I'm enclosing a followup patch that should solve this situation > (and clean up a sparse warning). > > Thanks, > Mauro Your points are well taken. However, Greg KH has already taken the original patch and a fix for the sparse warning into his tree. I guess the two of you should figure out how best to straighten this out. Alan Stern