Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp3993439ybg; Fri, 25 Oct 2019 11:48:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqyd2fyGDuvXQL/GOavTjrANuaun42AVOQGVOt3RW66fTQyRnZ6Vl23VBJ18j88WBiDZbqZ1 X-Received: by 2002:a50:d70c:: with SMTP id t12mr5695831edi.252.1572029330336; Fri, 25 Oct 2019 11:48:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572029330; cv=none; d=google.com; s=arc-20160816; b=BwDlnL7yl+IaOws7JNMZIn93nHqN0mBf3jRQKd4qPTxBtchRvVmacySDNmfPUfFdjM OvqyyrCUIwDtbdEk3l/h4IPhyswexfDKsAGQqAAWKlHvRCN6nyGxc4wHnofmImou4LO0 3Xt4xYY3kaJLHHPvHyKR9XhAG+3+pHLuyan2rWInWg2g7RTIoLBQjC09ZB6EB4iRPl9H u1Sx6JEbRP3S+n8MWP8GSaWZ5k8hxHwYvJLr31/MQCbHX1bSLqRpKRcescg7eIgqyWq/ D1dDPGZ6F/OhpdJdQQJr04A/ua7xSWC/1bliukTrQsk0ExBAKaXv/HGJzDZP4FQAMgVt MT4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=od+wlZzKc8CEzKGpAwSzT/V3PzYEsxbwRzfyoszh5DU=; b=iqHf+FZLizsAbGNn4Fs184N9Jf4/VQ8sGREvywBPsXol7R9Psl8Y870oReem/nDdEl ocFY/kGIvTsx/MrHlV5VjXfTtEBkJY3+kGzYRfi4EGvd77cmrSBHZYjcWcISgqyfgfVz ibBlTJSbzKXgYJMxZUPP7nsPix+MNMHfly6rMplQGsHk5QpDkbxpKH3sWGjHx90aypfy MrGE+Orfmup2FKzWjYGCnqtTXzhsmCfF/h1u6caTJmZFbFKQ6wBKNnjCvviCROW1TQnR qSf6a23+H/sEEy1+uqzjwBvn7McQvLiVzikMe9ugS1WVkwSDh6Hp1lF1xekabO3E3eHb fD9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g4si1895984edb.41.2019.10.25.11.48.27; Fri, 25 Oct 2019 11:48:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2394110AbfJXR5f (ORCPT + 99 others); Thu, 24 Oct 2019 13:57:35 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:59670 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S2388218AbfJXR5e (ORCPT ); Thu, 24 Oct 2019 13:57:34 -0400 Received: (qmail 2715 invoked by uid 2102); 24 Oct 2019 13:57:33 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Oct 2019 13:57:33 -0400 Date: Thu, 24 Oct 2019 13:57:33 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Andrey Konovalov cc: syzbot , "Jacky . Cao @ sony . com" , Felipe Balbi , Chunfeng Yun , Greg Kroah-Hartman , LKML , USB list , syzkaller-bugs Subject: Re: divide error in dummy_timer In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 24 Oct 2019, Andrey Konovalov wrote: > > Is this really the sort of thing we need to catch? It isn't a bug in > > any existing kernel code, as far as I know. Maybe only gadgetfs and > > configfs need to worry about it. > > Hi Alan, > > Do you mean that the gadget driver must ensure that the max packet > size in the endpoint descriptor is not zero? Do HCDs rely on that? I > can add this check into the driver we use for USB fuzzing. Well, if there are any gadget drivers in the kernel which do set an endpoint's maxpacket size to 0, they should be fixed. I'm not aware of any. Of course, gadget drivers in userspace are always suspect. That's why I suggested having gadgetfs and configfs perform this check. Even so it's not really a _security_ risk, because only the superuser is allowed to run a userspace gadget driver. (Although obviously it is better to have a clean failure than to crash the system when a buggy program runs with superuser privileges.) Yes, HCDs do depend on endpoints having reasonable maxpacket values. I suppose the core should check for this. Currently we check for values that are too large or invalid in other ways (like high-speed bulk endpoints with maxpacket != 512), but we don't check for 0. In fact, that sounds like a much better solution to the problem overall. Let's see if this patch fixes the bug... Alan Stern #syz test: https://github.com/google/kasan.git 22be26f7 drivers/usb/core/config.c | 5 +++++ 1 file changed, 5 insertions(+) Index: usb-devel/drivers/usb/core/config.c =================================================================== --- usb-devel.orig/drivers/usb/core/config.c +++ usb-devel/drivers/usb/core/config.c @@ -348,6 +348,11 @@ static int usb_parse_endpoint(struct dev /* Validate the wMaxPacketSize field */ maxp = usb_endpoint_maxp(&endpoint->desc); + if (maxp == 0) { + dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has wMaxPacketSize 0, skipping\n", + cfgno, inum, asnum, d->bEndpointAddress); + goto skip_to_next_endpoint_or_interface_descriptor; + } /* Find the highest legal maxpacket size for this endpoint */ i = 0; /* additional transactions per microframe */