Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp713810ybv; Thu, 13 Feb 2020 08:12:13 -0800 (PST) X-Google-Smtp-Source: APXvYqwCdE4prMsgLLaNEiv9/jXGfFrtGxd4ewThZVIDBTO4sf9Co/LnYBqhB6XkcSQJugfJBCeZ X-Received: by 2002:aca:cc07:: with SMTP id c7mr3265511oig.165.1581610333765; Thu, 13 Feb 2020 08:12:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581610333; cv=none; d=google.com; s=arc-20160816; b=gn7Xc2raimqCIIV7UsueBeJFSNoFEkJ+sItj7xEEsZHKZO+wGocE8DGORyGGtsaF1S 3j/WowQutZ/vDmSpJezIKrU1aZsoKsD4XNvQnROtjAZS65WnD+4iwF9YX4uArru7eWUi a/j4R6+MiRLHZWf0hh3NZJdiVI5mifBcrJlXpGu5sGcEI7DwPj90wUZtzaMGcIRTSoRK AlZyBdUqIftuI0REa4JYkS4lHYSVJSm6tXxh9x+LA0JRYr4UrR1EWpkyUghcWPSMpZ5x 7PgN4GTsvYDEo7vceRcvz1N4db/Ue3vWUYtdmHKxn0EfdSA/eYCuuydNBq4pA17sBALF GiKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=R4F4itP8ewHgGYz/T4nWmOM5LwkBPWJzO5Vnp2Kk/3g=; b=rS01jeB6dz8rYd9H4Qh9DL8S+SLXL4ORmv+qkkBEFqAXnbdKcDFHCYWUTOzgEYUxB/ kDfcXmXdBGGlqDgv8QU6q5jX7JxWG7ytFc6pBCjlsK/paesuTWKE+bkmVYRXpGvareCk 0YagQoWQVPteRkJjksS+kMy1Jr9Vm5RjKRGIA3YJLngBxbYlA+K5YlfFlQ94Tup0EevH N8SGss5bNCx/zqkGk6MIFw4G7SqnD0NmtslGl4+XJQY98fZovx04C6bXV5H4/Puu9AXq wXkvTb2YfcLu6fFNVuWToYN9DukuxjQLk927Xc0jEZhz8vTjdXATki+o0j+B7H1o4JVi veFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=tIjjht0j; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f194si1357861oig.243.2020.02.13.08.11.58; Thu, 13 Feb 2020 08:12:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=tIjjht0j; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730347AbgBMQLy (ORCPT + 99 others); Thu, 13 Feb 2020 11:11:54 -0500 Received: from mail.kernel.org ([198.145.29.99]:59142 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727669AbgBMPWT (ORCPT ); Thu, 13 Feb 2020 10:22:19 -0500 Received: from localhost (unknown [104.132.1.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1D86620848; Thu, 13 Feb 2020 15:22:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581607337; bh=UrlpERl3yDVB+DFfMKOUl5VrG2Ohbdi8WCW162x08W8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tIjjht0jnPzQ2eVFIFuQSunRBooRudMAL+u/bShrc5CKqAQ5z8iIJHHF5sJDVVsYE vJ1/X7KYk/C4/AHOY2GKg663ynkMTH3I0F5lAtaeWA/aWvsMMQDhZrTFnCzj10u1B8 GDuQkwnJVg5KRyAudy6rOD5Y1rmU40GSNW7ZOH8Y= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrey Konovalov , Will Deacon , Laurent Pinchart , Mauro Carvalho Chehab Subject: [PATCH 4.4 10/91] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors Date: Thu, 13 Feb 2020 07:19:27 -0800 Message-Id: <20200213151825.630550079@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200213151821.384445454@linuxfoundation.org> References: <20200213151821.384445454@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Will Deacon commit 68035c80e129c4cfec659aac4180354530b26527 upstream. Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked up the following WARNING from the UVC chain scanning code: | list_add double add: new=ffff880069084010, prev=ffff880069084010, | next=ffff880067d22298. | ------------[ cut here ]------------ | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0 | Modules linked in: | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted | 4.14.0-rc2-42613-g1488251d1a98 #238 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 | Workqueue: usb_hub_wq hub_event | task: ffff88006b01ca40 task.stack: ffff880064358000 | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29 | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286 | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000 | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000 | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010 | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0 | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0 | Call Trace: | __list_add ./include/linux/list.h:59 | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92 | uvc_scan_chain_forward.isra.8+0x373/0x416 | drivers/media/usb/uvc/uvc_driver.c:1471 | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585 | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769 | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104 Looking into the output from usbmon, the interesting part is the following data packet: ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080 00090403 00000e01 00000924 03000103 7c003328 010204db If we drop the lead configuration and interface descriptors, we're left with an output terminal descriptor describing a generic display: /* Output terminal descriptor */ buf[0] 09 buf[1] 24 buf[2] 03 /* UVC_VC_OUTPUT_TERMINAL */ buf[3] 00 /* ID */ buf[4] 01 /* type == 0x0301 (UVC_OTT_DISPLAY) */ buf[5] 03 buf[6] 7c buf[7] 00 /* source ID refers to self! */ buf[8] 33 The problem with this descriptor is that it is self-referential: the source ID of 0 matches itself! This causes the 'struct uvc_entity' representing the display to be added to its chain list twice during 'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is processed directly from the 'dev->entities' list and then again immediately afterwards when trying to follow the source ID in 'uvc_scan_chain_forward()' Add a check before adding an entity to a chain list to ensure that the entity is not already part of a chain. Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/ Cc: Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") Reported-by: Andrey Konovalov Signed-off-by: Will Deacon Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/usb/uvc/uvc_driver.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1411,6 +1411,11 @@ static int uvc_scan_chain_forward(struct break; if (forward == prev) continue; + if (forward->chain.next || forward->chain.prev) { + uvc_trace(UVC_TRACE_DESCR, "Found reference to " + "entity %d already in chain.\n", forward->id); + return -EINVAL; + } switch (UVC_ENTITY_TYPE(forward)) { case UVC_VC_EXTENSION_UNIT: @@ -1492,6 +1497,13 @@ static int uvc_scan_chain_backward(struc return -1; } + if (term->chain.next || term->chain.prev) { + uvc_trace(UVC_TRACE_DESCR, "Found reference to " + "entity %d already in chain.\n", + term->id); + return -EINVAL; + } + if (uvc_trace_param & UVC_TRACE_PROBE) printk(" %d", term->id);