From: Oliver Neukum <oneukum@suse.com>
To: syzbot <syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com>,
andreyknvl@google.com, hverkuil-cisco@xs4all.nl,
linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
linux-usb@vger.kernel.org, mchehab@kernel.org,
syzkaller-bugs@googlegroups.com
Cc: tiwai@suse.com
Subject: Re: general protection fault in go7007_usb_probe
Date: Wed, 22 Apr 2020 12:32:20 +0200 [thread overview]
Message-ID: <1587551540.26476.12.camel@suse.com> (raw)
In-Reply-To: <000000000000a0f56c05a3d59b69@google.com>
Am Dienstag, den 21.04.2020, 16:45 -0700 schrieb syzbot:
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=12da0b58100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1146eb17e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=159d136fe00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com
Hi,
this looks to be technically caused by
commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e
Author: Takashi Iwai <tiwai@suse.de>
Date: Thu Feb 6 16:45:27 2020 +0100
media: go7007: Fix URB type for interrupt handling
It introduces this check:
+ ep = usb->usbdev->ep_in[4];
+ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
However, there is no guarantee ep_in[4] exists, if a malicious device
were involved. But, I do not want to just add a check for NULL. That
would just paper over the bug and the driver would fail at a later
stage.
How many endpoints do these devices need to have to operate?
Regards
Oliver
next prev parent reply other threads:[~2020-04-22 10:32 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-21 23:36 general protection fault in go7007_usb_probe syzbot
2020-04-21 23:45 ` syzbot
2020-04-22 10:32 ` Oliver Neukum [this message]
2020-04-22 10:51 ` Takashi Iwai
2020-04-22 11:59 ` Oliver Neukum
2020-04-22 12:32 ` syzbot
2020-04-23 11:01 ` Oliver Neukum
2020-04-23 11:20 ` syzbot
2020-04-23 12:46 ` Oliver Neukum
2020-04-23 13:05 ` syzbot
2020-04-23 13:48 ` Oliver Neukum
2020-04-23 13:59 ` syzbot
2020-04-30 13:09 ` Oliver Neukum
2020-04-30 13:29 ` syzbot
2020-05-04 14:08 ` Oliver Neukum
2020-05-04 14:27 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1587551540.26476.12.camel@suse.com \
--to=oneukum@suse.com \
--cc=andreyknvl@google.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).