All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Alan Stern <stern@rowland.harvard.edu>,
	syzbot+23be03b56c5259385d79@syzkaller.appspotmail.com
Subject: [PATCH 4.14 74/86] USB: sisusbvga: Add endpoint checks
Date: Sun, 28 May 2023 20:10:48 +0100	[thread overview]
Message-ID: <20230528190831.399750122@linuxfoundation.org> (raw)
In-Reply-To: <20230528190828.564682883@linuxfoundation.org>

From: Alan Stern <stern@rowland.harvard.edu>

commit df05a9b05e466a46725564528b277d0c570d0104 upstream.

The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver:

------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95
RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003
R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline]
 sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379
 sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline]
 sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline]
 sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177
 sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869
...

The problem was caused by the fact that the driver does not check
whether the endpoints it uses are actually present and have the
appropriate types.  This can be fixed by adding a simple check of
the endpoints.

Link: https://syzkaller.appspot.com/bug?extid=23be03b56c5259385d79
Reported-and-tested-by: syzbot+23be03b56c5259385d79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/48ef98f7-51ae-4f63-b8d3-0ef2004bb60a@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/misc/sisusbvga/sisusb.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/drivers/usb/misc/sisusbvga/sisusb.c
+++ b/drivers/usb/misc/sisusbvga/sisusb.c
@@ -3015,6 +3015,20 @@ static int sisusb_probe(struct usb_inter
 	struct usb_device *dev = interface_to_usbdev(intf);
 	struct sisusb_usb_data *sisusb;
 	int retval = 0, i;
+	static const u8 ep_addresses[] = {
+		SISUSB_EP_GFX_IN | USB_DIR_IN,
+		SISUSB_EP_GFX_OUT | USB_DIR_OUT,
+		SISUSB_EP_GFX_BULK_OUT | USB_DIR_OUT,
+		SISUSB_EP_GFX_LBULK_OUT | USB_DIR_OUT,
+		SISUSB_EP_BRIDGE_IN | USB_DIR_IN,
+		SISUSB_EP_BRIDGE_OUT | USB_DIR_OUT,
+		0};
+
+	/* Are the expected endpoints present? */
+	if (!usb_check_bulk_endpoints(intf, ep_addresses)) {
+		dev_err(&intf->dev, "Invalid USB2VGA device\n");
+		return -EINVAL;
+	}
 
 	dev_info(&dev->dev, "USB2VGA dongle found at address %d\n",
 			dev->devnum);



  parent reply	other threads:[~2023-05-28 19:15 UTC|newest]

Thread overview: 95+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-28 19:09 [PATCH 4.14 00/86] 4.14.316-rc1 review Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 01/86] net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 02/86] netlink: annotate accesses to nlk->cb_running Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 03/86] net: annotate sk->sk_err write from do_recvmmsg() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 04/86] ipvlan:Fix out-of-bounds caused by unclear skb->cb Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 05/86] af_unix: Fix a data race of sk->sk_receive_queue->qlen Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 06/86] fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 07/86] regmap: cache: Return error in cache sync operations for REGCACHE_NONE Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 08/86] memstick: r592: Fix UAF bug in r592_remove due to race condition Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 09/86] ACPI: EC: Fix oops when removing custom query handlers Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 10/86] drm/tegra: Avoid potential 32-bit integer overflow Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 11/86] ACPICA: Avoid undefined behavior: applying zero offset to null pointer Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 12/86] ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 13/86] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 14/86] ext2: Check block size validity during mount Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 15/86] net: pasemi: Fix return type of pasemi_mac_start_tx() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 16/86] net: Catch invalid index in XPS mapping Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 17/86] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 18/86] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 19/86] gfs2: Fix inode height consistency check Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 20/86] ext4: set goal start correctly in ext4_mb_normalize_request Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 21/86] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 22/86] null_blk: Always check queue mode setting from configfs Greg Kroah-Hartman
2023-05-29 16:46   ` Harshit Mogalapalli
2023-05-29 19:00     ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 23/86] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 24/86] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 4.14 25/86] staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 26/86] HID: logitech-hidpp: Dont use the USB serial for USB devices Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 27/86] HID: logitech-hidpp: Reconcile USB and Unifying serials Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 28/86] spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 29/86] HID: wacom: generic: Set battery quirk only when we see battery data Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 30/86] serial: 8250: Reinit port->pm on port specific driver unbind Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 31/86] mcb-pci: Reallocate memory region to avoid memory overlapping Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 32/86] sched: Fix KCSAN noinstr violation Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 33/86] recordmcount: Fix memory leaks in the uwrite function Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 34/86] clk: tegra20: fix gcc-7 constant overflow warning Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 35/86] Input: xpad - add constants for GIP interface numbers Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 36/86] phy: st: miphy28lp: use _poll_timeout functions for waits Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 37/86] mfd: dln2: Fix memory leak in dln2_probe() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 38/86] cpupower: Make TSC read per CPU for Mperf monitor Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 39/86] af_key: Reject optional tunnel/BEET mode templates in outbound policies Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 40/86] net: fec: Better handle pm_runtime_get() failing in .remove() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 41/86] vsock: avoid to close connected socket after the timeout Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 42/86] media: netup_unidvb: fix use-after-free at del_timer() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 43/86] net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 44/86] cassini: Fix a memory leak in the error handling path of cas_init_one() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 45/86] igb: fix bit_shift to be in [1..8] range Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 46/86] vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 47/86] usb-storage: fix deadlock when a scsi command timeouts more than once Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 48/86] ALSA: hda: Fix Oops by 9.1 surround channel names Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 49/86] ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 50/86] statfs: enforce statfs[64] structure initialization Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 51/86] serial: Add support for Advantech PCI-1611U card Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 52/86] ceph: force updating the msg pointer in non-split case Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 53/86] nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 54/86] netfilter: nf_tables: bogus EBUSY in helper removal from transaction Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 55/86] spi: spi-fsl-spi: automatically adapt bits-per-word in cpu mode Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 56/86] spi: fsl-spi: Re-organise transfer bits_per_word adaptation Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 57/86] spi: fsl-cpm: Use 16 bit mode for large transfers with even size Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 58/86] m68k: Move signal frame following exception on 68020/030 Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 59/86] parisc: Allow to reboot machine after system halt Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 60/86] netfilter: nftables: add nft_parse_register_load() and use it Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 61/86] netfilter: nftables: add nft_parse_register_store() " Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 62/86] netfilter: nftables: statify nft_parse_register() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 63/86] netfilter: nf_tables: validate registers coming from userspace Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 64/86] netfilter: nf_tables: add nft_setelem_parse_key() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 65/86] netfilter: nf_tables: allow up to 64 bytes in the set element data area Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 66/86] netfilter: nf_tables: stricter validation of element data Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 67/86] netfilter: nft_dynset: do not reject set updates with NFT_SET_EVAL Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 68/86] netfilter: nf_tables: do not allow RULE_ID to refer to another chain Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 69/86] netfilter: nf_tables: do not allow SET_ID to refer to another table Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 70/86] netfilter: nf_tables: fix register ordering Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 71/86] x86/mm: Avoid incomplete Global INVLPG flushes Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 72/86] selftests/memfd: Fix unknown type name build failure Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 73/86] USB: core: Add routines for endpoint checks in old drivers Greg Kroah-Hartman
2023-05-28 19:10 ` Greg Kroah-Hartman [this message]
2023-05-28 19:10 ` [PATCH 4.14 75/86] media: radio-shark: Add endpoint checks Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 76/86] net: fix skb leak in __skb_tstamp_tx() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 77/86] ipv6: Fix out-of-bounds access in ipv6_find_tlv() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 78/86] power: supply: leds: Fix blink to LED on transition Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 79/86] power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 80/86] power: supply: bq27xxx: Fix I2C IRQ race on remove Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 81/86] power: supply: bq27xxx: Fix poll_interval handling and races " Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 82/86] power: supply: sbs-charger: Fix INHIBITED bit for Status reg Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 83/86] xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 84/86] x86/show_trace_log_lvl: Ensure stack pointer is aligned, again Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 4.14 85/86] forcedeth: Fix an error handling path in nv_probe() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 4.14 86/86] 3c589_cs: Fix an error handling path in tc589_probe() Greg Kroah-Hartman
2023-05-29 16:04 ` [PATCH 4.14 00/86] 4.14.316-rc1 review Guenter Roeck
2023-05-29 17:55 ` Naresh Kamboju
2023-05-30  5:17 ` Harshit Mogalapalli
2023-05-30  9:19 ` Jon Hunter
2023-05-30 10:26 ` Pavel Machek
2023-05-30 11:53 ` Chris Paterson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230528190831.399750122@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+23be03b56c5259385d79@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.