From: Greg KH <gregkh@linuxfoundation.org>
To: Edward Adam Davis <eadavis@qq.com>
Cc: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
stern@rowland.harvard.edu,
syzbot+9d34f80f841e948c3fdb@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH V3] USB: usbtmc: prevent kernel-usb-infoleak
Date: Sun, 8 Sep 2024 10:33:11 +0200 [thread overview]
Message-ID: <2024090809-subdued-mystify-32b6@gregkh> (raw)
In-Reply-To: <tencent_6C71E6C09363C370897103ADC45ED7743705@qq.com>
On Sun, Sep 08, 2024 at 04:16:39PM +0800, Edward Adam Davis wrote:
> On Sun, 8 Sep 2024 09:54:22 +0200, Greg KH wrote:
> > On Sun, Sep 08, 2024 at 03:35:49PM +0800, Edward Adam Davis wrote:
> > > On Sun, 8 Sep 2024 07:20:40 +0200, Greg KH wrote:
> > > > On Sun, Sep 08, 2024 at 10:20:57AM +0800, Edward Adam Davis wrote:
> > > > > The syzbot reported a kernel-usb-infoleak in usbtmc_write.
> > > > >
> > > > > The expression "aligned = (transfersize + (USBTMC_HEADER_SIZE + 3)) & ~3;"
> > > > > in usbtmcw_write() follows the following pattern:
> > > > >
> > > > > aligned = (1 + 12 + 3) & ~3 = 16 // 3 bytes have not been initialized
> > > > > aligned = (2 + 12 + 3) & ~3 = 16 // 2 bytes have not been initialized
> > > > > aligned = (3 + 12 + 3) & ~3 = 16 // 1 byte has not been initialized
> > > > > aligned = (4 + 12 + 3) & ~3 = 16 // All bytes have been initialized
> > > > > aligned = (5 + 12 + 3) & ~3 = 20 // 3 bytes have not been initialized
> > > > > aligned = (6 + 12 + 3) & ~3 = 20 // 2 bytes have not been initialized
> > > > > aligned = (7 + 12 + 3) & ~3 = 20 // 1 byte has not been initialized
> > > > > aligned = (8 + 12 + 3) & ~3 = 20 // All bytes have been initialized
> > > > > aligned = (9 + 12 + 3) & ~3 = 24
> > > > > ...
> > > > >
> > > > > Note: #define USBTMC_HEADER_SIZE 12
> > > > >
> > > > > This results in the buffer[USBTMC_SEAD_SIZE+transfersize] and its
> > > > > subsequent memory not being initialized.
> > > > >
> > > > > Fixes: 4ddc645f40e9 ("usb: usbtmc: Add ioctl for vendor specific write")
> > > > > Reported-and-tested-by: syzbot+9d34f80f841e948c3fdb@syzkaller.appspotmail.com
> > > > > Closes: https://syzkaller.appspot.com/bug?extid=9d34f80f841e948c3fdb
> > > > > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> > > > > ---
> > > > > V2 -> V3: Update condition and comments
> > > > >
> > > > > drivers/usb/class/usbtmc.c | 4 ++++
> > > > > 1 file changed, 4 insertions(+)
> > > > >
> > > > > diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c
> > > > > index 6bd9fe565385..faf8c5508997 100644
> > > > > --- a/drivers/usb/class/usbtmc.c
> > > > > +++ b/drivers/usb/class/usbtmc.c
> > > > > @@ -1591,6 +1591,10 @@ static ssize_t usbtmc_write(struct file *filp, const char __user *buf,
> > > > > goto exit;
> > > > > }
> > > > >
> > > > > + if (USBTMC_HEADER_SIZE + transfersize < aligned)
> > > > > + memset(&buffer[USBTMC_HEADER_SIZE + transfersize], 0,
> > > > > + aligned - USBTMC_HEADER_SIZE - transfersize);
> > > >
> > > > As this is now a pain to read/understand, and there's no comment
> > > > describing it so we'll not really understand it in a few months, let
> > > > alone years, how about we just do the trivial thing and make the
> > > > allocation with kzalloc() to start with? And put a comment there saying
> > > > why it's zeroed out.
> > > Perhaps I wrote too much in my comments, but in essence, the logic behind
> > > this version's fix is:
> > > When aligned is greater than (USBTMC_HEADER_SIZE+transfersize), there are
> > > (aligned - (USBTMC_HEADER_SIZE+transfersize) bytes after the header and data
> > > that have not been initialized, and these bytes are then set to 0.
> > > >
> > > > Sorry, I thought this was going to be a lot simpler based on your first
> > > > patch than this type of logic.
> > > As you mentioned in my first version patch, this approach is simple and
> > > easy to understand, but it comes at the cost of losing the real issue,
> > > and KMSAN will not find similar problems again in the future, which is
> > > not conducive to making the program logic more robust.
> >
> > There will not be similar problems in the future as you are explicitly
> > setting everything to 0, so all should be fine :)
> >
> > The real issue here is that the usbtmc logic of sending data is crazy,
> > and unique to it for various reasons that well all really don't
> > understand. Given the very small number of these devices in the world,
> > it's probably best left to the maintainers of it to handle any real
> > problems going forward, and just squash these types of fuzzing bugs now
> > with a heavy hammer to make them happy.
> I reserve my opinion.
>
> If you insist, you can use my first patch directly:
> https://lore.kernel.org/all/tencent_088B2EF2AEE00C8AE7D706CCD2CBC6484906@qq.com
No, that should be 'kzalloc()' instead of alocating and calling
memset(), to save us the round-trip of someone coming afterward and
cleaning up this common pattern to be a single call.
thanks,
greg k-h
next prev parent reply other threads:[~2024-09-08 8:33 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-25 9:14 [syzbot] [usb?] KMSAN: kernel-usb-infoleak in usbtmc_write syzbot
2024-09-04 12:00 ` syzbot
2024-09-04 12:47 ` Edward Adam Davis
2024-09-04 13:33 ` syzbot
2024-09-04 13:55 ` [PATCH] USB: usbtmc: prevent kernel-infoleak Edward Adam Davis
2024-09-04 14:09 ` Greg KH
2024-09-04 14:13 ` Greg KH
2024-09-05 13:56 ` Edward Adam Davis
2024-09-05 14:04 ` Greg KH
2024-09-05 14:16 ` Edward Adam Davis
2024-09-06 14:11 ` [PATCH V2] USB: usbtmc: prevent kernel-usb-infoleak Edward Adam Davis
2024-09-06 14:28 ` Alan Stern
2024-09-07 2:08 ` Edward Adam Davis
2024-09-07 14:45 ` Alan Stern
2024-09-08 0:59 ` Edward Adam Davis
2024-09-08 1:32 ` Alan Stern
2024-09-08 2:01 ` Edward Adam Davis
2024-09-08 2:20 ` [PATCH V3] " Edward Adam Davis
2024-09-08 5:20 ` Greg KH
2024-09-08 7:35 ` Edward Adam Davis
2024-09-08 7:54 ` Greg KH
2024-09-08 8:16 ` Edward Adam Davis
2024-09-08 8:33 ` Greg KH [this message]
2024-09-08 9:17 ` [PATCH v4] " Edward Adam Davis
2024-09-05 11:27 ` [syzbot] [usb?] KMSAN: kernel-usb-infoleak in usbtmc_write Edward Adam Davis
2024-09-05 15:42 ` syzbot
2024-09-05 14:21 ` Edward Adam Davis
2024-09-05 16:11 ` syzbot
2024-09-06 11:55 ` Edward Adam Davis
2024-09-06 12:29 ` syzbot
2024-09-06 12:37 ` Edward Adam Davis
2024-09-06 13:07 ` syzbot
2024-09-06 13:06 ` Edward Adam Davis
2024-09-06 13:51 ` syzbot
2024-09-06 13:52 ` Edward Adam Davis
2024-09-06 16:59 ` syzbot
2024-09-05 7:11 ` [syzbot] " syzbot
2024-09-05 8:29 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024090809-subdued-mystify-32b6@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=eadavis@qq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+9d34f80f841e948c3fdb@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox