Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp567893ybz;
        Wed, 22 Apr 2020 03:54:25 -0700 (PDT)
X-Google-Smtp-Source: APiQypLq2cT7SwCfAJtwxp2uQbXHkeoI65Ept3xswjJ7pggumxmHpjjsknMs5lLSw7O6Is/qlO/E
X-Received: by 2002:aa7:cf16:: with SMTP id a22mr22499940edy.77.1587552865829;
        Wed, 22 Apr 2020 03:54:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1587552865; cv=none;
        d=google.com; s=arc-20160816;
        b=CjD71ty9yc05fcCL1Ahb/cX6CZHMu3zd6FCmiyrMUCgVt7FmXmIl5v5Usyo3o+gVE/
         gbbKAUdgSTTR2PF1L3nyezS4u7J6TADN0XUGfPyV7Q2VFVWNstu8QLUVKmQPJkxMO4PF
         zgonHNtQ+qeAHdFcFFVSK/4g8GQlR6WK5h+YXcQia7njGNF9/2F+nF56ihbIREGoNuos
         MLoOG90CbjYt9aC7/zraNFZKhPcXgCMY1d5b/mG76d3s3Tf66OsckqwousxvQIoZJhBN
         ztbnv40QL5yUUSbYCT4/l7PokveL9EeDyeYCvySFtYrH73b/lx6EGJEjSA6vkvT1AHkX
         kg1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:subject:cc:to:from:message-id:date;
        bh=SdcpS0mSWKZImSo0Mht1Dfs/CIGs7TDQThF8HJuYx1s=;
        b=XQaF3oC2iDOSAf78IkKKhpUAIaLLJmucMoRJkiWGbB484GalZw6NJKSJSx5LiKa1Q6
         pgukFW4ZaVbUGal/stusGOBlRkj/eeIXbLwyJC0RxRNfuEz6Bs0fALOcOhoIPAXMf5Iz
         FIQxIO5041QgNsMLU34/3/xfKiFDjkIcCjnIM0Ed+A96cMUqjfIay33wu4gAgETAY4pE
         bIWp6GVDWWbiIfcOK+KKZNhOR7JwetXhkaG0zbmtS/+q6hQAYB5pzmIGAznRzcM7PpOZ
         ZjMtwiC778C899o09cIEFncf176kaL+MJKhTWiI+beuh50R86mSwFI/Xg0Ur12r8uyVF
         rJsw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g19si3640979edh.59.2020.04.22.03.54.02;
        Wed, 22 Apr 2020 03:54:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732201AbgDVKvS (ORCPT <rfc822;gasparwang.pro@gmail.com>
        + 99 others); Wed, 22 Apr 2020 06:51:18 -0400
Received: from mx2.suse.de ([195.135.220.15]:43736 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732030AbgDVKvR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 Apr 2020 06:51:17 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.220.254])
        by mx2.suse.de (Postfix) with ESMTP id 67A1BABCC;
        Wed, 22 Apr 2020 10:51:14 +0000 (UTC)
Date:   Wed, 22 Apr 2020 12:51:14 +0200
Message-ID: <s5hy2qnztct.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Oliver Neukum <oneukum@suse.com>
Cc:     syzbot <syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com>,
        <andreyknvl@google.com>, <hverkuil-cisco@xs4all.nl>,
        <linux-kernel@vger.kernel.org>, <linux-media@vger.kernel.org>,
        <linux-usb@vger.kernel.org>, <mchehab@kernel.org>,
        <syzkaller-bugs@googlegroups.com>, <tiwai@suse.com>
Subject: Re: general protection fault in go7007_usb_probe
In-Reply-To: <1587551540.26476.12.camel@suse.com>
References: <000000000000a0f56c05a3d59b69@google.com>
        <1587551540.26476.12.camel@suse.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 22 Apr 2020 12:32:20 +0200,
Oliver Neukum wrote:
> 
> Am Dienstag, den 21.04.2020, 16:45 -0700 schrieb syzbot:
> > syzbot has found a reproducer for the following crash on:
> > 
> > HEAD commit:    e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12da0b58100000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> > dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1146eb17e00000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=159d136fe00000
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com
> 
> Hi,
> 
> this looks to be technically caused by
> 
> commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e
> Author: Takashi Iwai <tiwai@suse.de>
> Date:   Thu Feb 6 16:45:27 2020 +0100
> 
>     media: go7007: Fix URB type for interrupt handling
> 
> It introduces this check:
> 
> +       ep = usb->usbdev->ep_in[4];
> +       if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
> 
> However, there is no guarantee ep_in[4] exists, if a malicious device
> were involved. But, I do not want to just add a check for NULL. That
> would just paper over the bug and the driver would fail at a later
> stage.

Yes, the patch assumed the existence of ep 4, as you can see in the
later code, the driver blindly uses the fixed endpoint for the urb.
So we'll hit a problem in anyway.

> How many endpoints do these devices need to have to operate?

Not sure about that, but the NULL-check of ep there should be right.
If ep_in[4] is NULL, the probe should fail before going to the next
USB_ENDPOINT_XFER_BULK check.


thanks,

Takashi