Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp896857ybh; Sun, 19 Jul 2020 02:24:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwz7E27BmX5GlCNpOwT3Fj6aCs50IrLjk+3DJcIDyIRw83PFG6uAcI048U589Jm/7hBGlFv X-Received: by 2002:a17:906:57c5:: with SMTP id u5mr15447977ejr.311.1595150646453; Sun, 19 Jul 2020 02:24:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595150646; cv=none; d=google.com; s=arc-20160816; b=QxJtHILg6qHhVEbZwhjVX8CHznvtwW/B0MIydpWlIRsn3oz8HnbSzfSqLgspaGmYJu /ve0VdaiVxM3HlBCco09xFXPQacU8qbd+DvPpKxRyGzmgfZrf5jkz7p304Z6Xt0kGt88 2oVD3xjTYLfJjkSOieZ6pn++MR/PKD+mdIv57WtIiXPKUfKI1MM5w5gI03Sowe+ZUvuC 5sW2i3Q0y6kXE9cFNE4gy/3X600QJ7pae2w0Ub/LHKkEVlrVVJ77ptDSTjwjJ0E7xMAT FBnOxRKebDccwYsTSH/SER5OvjWit0obH/c4kFUgBn1WzDc9z+jCLnOaYxV6Fox4DTcU VIVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=EX8LD0xYUpjvKPM4zCyACQDXTn+E3SjDR7FIh8bIoMk=; b=eEiAM1RT6TunLnCYBNrneiTOtjCfBrTaFylp2HxB7dztgdmtX/PsFZM6dpzdwwhCEk 2uYfinN50MzQTFI21lFIeVpO79N5hAvGEJVV7rNH0pyJrncc3SPjke+PareJJLqZx3dR nr/PxJp6Mh/Iz1zFCKxkrStBpqn6iLJwZc1ZckZdLykCyNbreN8ibB3ZMVpiBTZmgtZY b6iOxmkps6uPpUhbKawb/a5zFZpAMFpyRgdrkXJwWVN8KdO/ZRqB+oKfjtOLM7o1kU+a ui4fHK3G87z7gi+8NWQEtQq4GupUSa4u673Esxn3PR/SYyKDo1Ui7ZOHin3puE2ND27y nV8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1fI3FoyP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b12si8492338eds.283.2020.07.19.02.23.43; Sun, 19 Jul 2020 02:24:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1fI3FoyP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726312AbgGSJX0 (ORCPT + 99 others); Sun, 19 Jul 2020 05:23:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:56048 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726024AbgGSJXZ (ORCPT ); Sun, 19 Jul 2020 05:23:25 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0AD8F20734; Sun, 19 Jul 2020 09:23:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595150605; bh=FXGs3363erCGNX9TvamANt772GZXMe1t8CEolW3wfm0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=1fI3FoyPB5WBOn4JCjyjO8Bcy2Verdht6rMHQfwSeQkCv/UCmqRmfBZUupKHYk4la C0nyl1Puf2jMPkX+Tch5T0l49QbBMh91nFayM1rhuINf9hSN337UFPEB3aN/Cly7Ep CqJBlE5mzvHJLtJ0ySjArhYO9GVYUa5VwsZ3hmiA= Date: Sun, 19 Jul 2020 11:23:38 +0200 From: Greg KH To: Rustam Kovhaev Cc: devel@driverdev.osuosl.org, syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH] staging: wlan-ng: properly check endpoint types Message-ID: <20200719092338.GC171181@kroah.com> References: <20200718155836.86384-1-rkovhaev@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200718155836.86384-1-rkovhaev@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 18, 2020 at 08:58:36AM -0700, Rustam Kovhaev wrote: > As syzkaller detected, wlan-ng driver submits bulk urb without checking > that the endpoint type is actually bulk, add usb_urb_ep_type_check() > > Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723 > Signed-off-by: Rustam Kovhaev > --- > drivers/staging/wlan-ng/hfa384x_usb.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c > index fa1bf8b069fd..7cde60ea68a2 100644 > --- a/drivers/staging/wlan-ng/hfa384x_usb.c > +++ b/drivers/staging/wlan-ng/hfa384x_usb.c > @@ -339,6 +339,12 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags) > > hw->rx_urb_skb = skb; > > + result = usb_urb_ep_type_check(&hw->rx_urb); > + if (result) { > + netdev_warn(hw->wlandev->netdev, "invalid rx endpoint"); > + goto cleanup; > + } In looking at this again, can you just make these checks in the probe function, and abort binding the driver to the device at that point in time? This feels really late in the init sequence. The real problem here is in the hfa384x_create() function, where it blindly takes the 1 and 2 endpoints and assumes that those are the "correct type". How about checking the types there, and if they are incorrect, returning an error from that function and have the caller return the error as well. That should keep anything else in the driver from being initialized and set up, and stop bad devices from being bound to the driver at a much earlier point in time. Note, just checking for the valid type/direction of those endpoints should be sufficient. thanks, greg k-h