Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp567893ybz; Wed, 22 Apr 2020 03:54:25 -0700 (PDT) X-Google-Smtp-Source: APiQypLq2cT7SwCfAJtwxp2uQbXHkeoI65Ept3xswjJ7pggumxmHpjjsknMs5lLSw7O6Is/qlO/E X-Received: by 2002:aa7:cf16:: with SMTP id a22mr22499940edy.77.1587552865829; Wed, 22 Apr 2020 03:54:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587552865; cv=none; d=google.com; s=arc-20160816; b=CjD71ty9yc05fcCL1Ahb/cX6CZHMu3zd6FCmiyrMUCgVt7FmXmIl5v5Usyo3o+gVE/ gbbKAUdgSTTR2PF1L3nyezS4u7J6TADN0XUGfPyV7Q2VFVWNstu8QLUVKmQPJkxMO4PF zgonHNtQ+qeAHdFcFFVSK/4g8GQlR6WK5h+YXcQia7njGNF9/2F+nF56ihbIREGoNuos MLoOG90CbjYt9aC7/zraNFZKhPcXgCMY1d5b/mG76d3s3Tf66OsckqwousxvQIoZJhBN ztbnv40QL5yUUSbYCT4/l7PokveL9EeDyeYCvySFtYrH73b/lx6EGJEjSA6vkvT1AHkX kg1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:subject:cc:to:from:message-id:date; bh=SdcpS0mSWKZImSo0Mht1Dfs/CIGs7TDQThF8HJuYx1s=; b=XQaF3oC2iDOSAf78IkKKhpUAIaLLJmucMoRJkiWGbB484GalZw6NJKSJSx5LiKa1Q6 pgukFW4ZaVbUGal/stusGOBlRkj/eeIXbLwyJC0RxRNfuEz6Bs0fALOcOhoIPAXMf5Iz FIQxIO5041QgNsMLU34/3/xfKiFDjkIcCjnIM0Ed+A96cMUqjfIay33wu4gAgETAY4pE bIWp6GVDWWbiIfcOK+KKZNhOR7JwetXhkaG0zbmtS/+q6hQAYB5pzmIGAznRzcM7PpOZ ZjMtwiC778C899o09cIEFncf176kaL+MJKhTWiI+beuh50R86mSwFI/Xg0Ur12r8uyVF rJsw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g19si3640979edh.59.2020.04.22.03.54.02; Wed, 22 Apr 2020 03:54:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732201AbgDVKvS (ORCPT + 99 others); Wed, 22 Apr 2020 06:51:18 -0400 Received: from mx2.suse.de ([195.135.220.15]:43736 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732030AbgDVKvR (ORCPT ); Wed, 22 Apr 2020 06:51:17 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 67A1BABCC; Wed, 22 Apr 2020 10:51:14 +0000 (UTC) Date: Wed, 22 Apr 2020 12:51:14 +0200 Message-ID: From: Takashi Iwai To: Oliver Neukum Cc: syzbot , , , , , , , , Subject: Re: general protection fault in go7007_usb_probe In-Reply-To: <1587551540.26476.12.camel@suse.com> References: <000000000000a0f56c05a3d59b69@google.com> <1587551540.26476.12.camel@suse.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 22 Apr 2020 12:32:20 +0200, Oliver Neukum wrote: > > Am Dienstag, den 21.04.2020, 16:45 -0700 schrieb syzbot: > > syzbot has found a reproducer for the following crash on: > > > > HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta.. > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=12da0b58100000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf > > dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1146eb17e00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=159d136fe00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com > > Hi, > > this looks to be technically caused by > > commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e > Author: Takashi Iwai > Date: Thu Feb 6 16:45:27 2020 +0100 > > media: go7007: Fix URB type for interrupt handling > > It introduces this check: > > + ep = usb->usbdev->ep_in[4]; > + if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) > > However, there is no guarantee ep_in[4] exists, if a malicious device > were involved. But, I do not want to just add a check for NULL. That > would just paper over the bug and the driver would fail at a later > stage. Yes, the patch assumed the existence of ep 4, as you can see in the later code, the driver blindly uses the fixed endpoint for the urb. So we'll hit a problem in anyway. > How many endpoints do these devices need to have to operate? Not sure about that, but the NULL-check of ep there should be right. If ep_in[4] is NULL, the probe should fail before going to the next USB_ENDPOINT_XFER_BULK check. thanks, Takashi