Linux USB
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Griffin Kroah-Hartman <griffin@kroah.com>,
	linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/3] usb: core: strengthen size check in usb_parse_interface()
Date: Tue, 14 Jul 2026 07:53:14 +0200	[thread overview]
Message-ID: <2026071406-ambiance-rogue-39bb@gregkh> (raw)
In-Reply-To: <b2498cb4-61f7-429a-920a-e27ecd7986e4@rowland.harvard.edu>

On Mon, Jul 13, 2026 at 12:13:04PM -0400, Alan Stern wrote:
> On Mon, Jul 13, 2026 at 05:43:52PM +0200, Griffin Kroah-Hartman wrote:
> > Change the size check from size > 0 to size >= sizeof(struct
> > usb_descriptor_header) in usb_parse_interface().  This prevents a
> > malicious device from utilizing trailing bytes to incur an OOB read.
> 
> No, because usb_parse_configuration() has already performed this check.  
> A malicious device can't avoid that earlier check, and so we don't need 
> to do it again.

Ok, this is my fault.  I gave these tasks to the author here, as part of
an project for computer security masters students at vu.nl to help grind
down the huge number of LLM-reported issues that I've gotten over the
past few months (you'll see other patches from these students being
submitted all over the tree right now as well).  Right now the LLMs seem
to be running at about 1/3 to 1/4 of "false positives", and these two
patches are a good example of that.

The thread here:
	https://lore.kernel.org/all/alEsSl8i1_FpoU0f@fudgebox/
is also another example of where the LLM wanted to add more defensive
code, despite it not really being needed.

The bots really really want to please you, and come up with ways to
swear that the change is needed, and so manual code review is still
always required.

Even with that manual review, these two fooled me, as they are obviously
not wrong (what's the harm in adding more checks?)  I caught that we
parsed the descriptors in usb_parse_configuration() but missed where
size was not incremented (I was looking at the buffer pointers).
Sashiko also missed this (catching it for the first patch, but not for
this one), proof that even the "best" LLM models out there today are
still not reliable.

Thanks for the review, much appreciated.

As for patch 3/3, I'm pretty sure that can't hurt as well.  I'm starting
to get a lot of "something could happen in an IRQ while a device is
being removed" bug reports from these tools.  Looks like they all just
discovered that very rare code path at the same time, something that
syzbot can't really fuzz for.

thanks,

greg k-h

  reply	other threads:[~2026-07-14  5:54 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-13 15:43 [PATCH 0/3] USB core defense "hardening" changes Griffin Kroah-Hartman
2026-07-13 15:43 ` [PATCH 1/3] usb: core: Add size check to find_next_descriptor() Griffin Kroah-Hartman
2026-07-13 16:14   ` Alan Stern
2026-07-13 15:43 ` [PATCH 2/3] usb: core: strengthen size check in usb_parse_interface() Griffin Kroah-Hartman
2026-07-13 16:13   ` Alan Stern
2026-07-14  5:53     ` Greg Kroah-Hartman [this message]
2026-07-14  6:20       ` Oliver Neukum
2026-07-14  6:30         ` Greg Kroah-Hartman
2026-07-14  7:06           ` Oliver Neukum
2026-07-14 16:41       ` Alan Stern
2026-07-13 15:43 ` [PATCH 3/3] usb: core: Add lock to usb_wakeup_notification() Griffin Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026071406-ambiance-rogue-39bb@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=griffin@kroah.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox