Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3710867ybv; Mon, 10 Feb 2020 05:08:09 -0800 (PST) X-Google-Smtp-Source: APXvYqy6a8olnxvh9hMgCJdZRnOdCXECTzKpSTulRXcsncYJ/WT0WYh63+1f+lk3vt86Qd/xrlev X-Received: by 2002:a9d:7ccc:: with SMTP id r12mr1049575otn.22.1581340089130; Mon, 10 Feb 2020 05:08:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581340089; cv=none; d=google.com; s=arc-20160816; b=ycNM4rZ51wU1EM5Li1NHujHkjQOIdOTvTIr/TETntORMrkYsbQp3iD7SmXqmLq7j2E UtjpbBhGBgfTFL0VdCfrJqSwUoh42UJj2HiZfahwa70DqvAwztcyuoLhvklF8wVH6nDp Q6XZ4rh8snNMf0VVR6aVPk8gf+zXT15R7h7P7WfPmQpamiTDrek/3Bh8lYF2ACKIGE5f dFqSjapuRUNuDaYbb3zlVn1wlIV93KUa69WJTu4VWVm6iecl0EA3ab3Trl2IpKEvyYrC YJbBySTzfsbiRIhjvEXsPK+3IUDssctWYxXmmsm0P2FtuzQfM/3cu9f2iBBfIYz7bZ+E neMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fU+v95bM+xQonRgOagtHEyFq5TDRYMLw2Zjln3hnAtM=; b=xXpT//wAY2vzQeuOcc7lpqV/DwVeqN0Ose7qa7EuaUeuaRsIUgQ38l4/s5xSSnnc6C MNo2w8v/DBKcSApSoWq2YZE1ZWfNzDDYOEblhuP9qnayMrIb88Dnj8hqi2r8zJ5ipuj4 usjlLJAfdSAq5nGjU4PSzB1qjcqu0PRLR4R2XwwfhxPjd1QczqVGK7uBiqh8MQ+H65Mt /bMOa4Ftj+5fH/Ot+rUEmNs4OcFU0I7ht6JyN8hjHHnw09kxUbFMrMpaXr5VXhzzGXeq AQjYDi2Pr8dMfgVQKTKnbvtOMcbtEpwXYBksBwMOUe6Evdcc6g4Tg46EUW8StK19fp+1 oG1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=W05RqMGj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l21si175596otk.142.2020.02.10.05.07.56; Mon, 10 Feb 2020 05:08:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=W05RqMGj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730472AbgBJNHz (ORCPT + 99 others); Mon, 10 Feb 2020 08:07:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:37606 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729024AbgBJMjj (ORCPT ); Mon, 10 Feb 2020 07:39:39 -0500 Received: from localhost (unknown [209.37.97.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8BD102467A; Mon, 10 Feb 2020 12:39:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581338377; bh=mybJf9H4zwQSbbA4ifMmeLxgNPhjekDf/AYhWwnpOQM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=W05RqMGjeN8hupjHW/ZVZ/KVD+nSupc/QGoZDt2CgjiRq3Gtg+WlbXR/wdHdKfcXP qJd2t9w+PP/mWtbEO0T/zcNaCng3CKpkW/vROfKLQGAi7FAZhkx2T9cWw99xRZLOKi 1ANE6Yi7qcmUNseX0SRgT0yuTlZ+LsDCcrLgF6Uk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrey Konovalov , Will Deacon , Laurent Pinchart , Mauro Carvalho Chehab Subject: [PATCH 5.5 027/367] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors Date: Mon, 10 Feb 2020 04:29:00 -0800 Message-Id: <20200210122426.395964640@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200210122423.695146547@linuxfoundation.org> References: <20200210122423.695146547@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Will Deacon commit 68035c80e129c4cfec659aac4180354530b26527 upstream. Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked up the following WARNING from the UVC chain scanning code: | list_add double add: new=ffff880069084010, prev=ffff880069084010, | next=ffff880067d22298. | ------------[ cut here ]------------ | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0 | Modules linked in: | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted | 4.14.0-rc2-42613-g1488251d1a98 #238 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 | Workqueue: usb_hub_wq hub_event | task: ffff88006b01ca40 task.stack: ffff880064358000 | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29 | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286 | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000 | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000 | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010 | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0 | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0 | Call Trace: | __list_add ./include/linux/list.h:59 | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92 | uvc_scan_chain_forward.isra.8+0x373/0x416 | drivers/media/usb/uvc/uvc_driver.c:1471 | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585 | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769 | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104 Looking into the output from usbmon, the interesting part is the following data packet: ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080 00090403 00000e01 00000924 03000103 7c003328 010204db If we drop the lead configuration and interface descriptors, we're left with an output terminal descriptor describing a generic display: /* Output terminal descriptor */ buf[0] 09 buf[1] 24 buf[2] 03 /* UVC_VC_OUTPUT_TERMINAL */ buf[3] 00 /* ID */ buf[4] 01 /* type == 0x0301 (UVC_OTT_DISPLAY) */ buf[5] 03 buf[6] 7c buf[7] 00 /* source ID refers to self! */ buf[8] 33 The problem with this descriptor is that it is self-referential: the source ID of 0 matches itself! This causes the 'struct uvc_entity' representing the display to be added to its chain list twice during 'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is processed directly from the 'dev->entities' list and then again immediately afterwards when trying to follow the source ID in 'uvc_scan_chain_forward()' Add a check before adding an entity to a chain list to ensure that the entity is not already part of a chain. Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/ Cc: Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") Reported-by: Andrey Konovalov Signed-off-by: Will Deacon Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/usb/uvc/uvc_driver.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1493,6 +1493,11 @@ static int uvc_scan_chain_forward(struct break; if (forward == prev) continue; + if (forward->chain.next || forward->chain.prev) { + uvc_trace(UVC_TRACE_DESCR, "Found reference to " + "entity %d already in chain.\n", forward->id); + return -EINVAL; + } switch (UVC_ENTITY_TYPE(forward)) { case UVC_VC_EXTENSION_UNIT: @@ -1574,6 +1579,13 @@ static int uvc_scan_chain_backward(struc return -1; } + if (term->chain.next || term->chain.prev) { + uvc_trace(UVC_TRACE_DESCR, "Found reference to " + "entity %d already in chain.\n", + term->id); + return -EINVAL; + } + if (uvc_trace_param & UVC_TRACE_PROBE) printk(KERN_CONT " %d", term->id);