* [PATCH] staging: wlan-ng: properly check endpoint types
@ 2020-07-18 15:58 ` Rustam Kovhaev
0 siblings, 0 replies; 8+ messages in thread
From: Rustam Kovhaev @ 2020-07-18 15:58 UTC (permalink / raw)
To: gregkh; +Cc: Rustam Kovhaev, devel, linux-kernel, syzbot+c2a1fa67c02faa0de723
As syzkaller detected, wlan-ng driver submits bulk urb without checking
that the endpoint type is actually bulk, add usb_urb_ep_type_check()
Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
---
drivers/staging/wlan-ng/hfa384x_usb.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
index fa1bf8b069fd..7cde60ea68a2 100644
--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -339,6 +339,12 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags)
hw->rx_urb_skb = skb;
+ result = usb_urb_ep_type_check(&hw->rx_urb);
+ if (result) {
+ netdev_warn(hw->wlandev->netdev, "invalid rx endpoint");
+ goto cleanup;
+ }
+
result = -ENOLINK;
if (!hw->wlandev->hwremoved &&
!test_bit(WORK_RX_HALT, &hw->usb_flags)) {
@@ -354,6 +360,7 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags)
}
}
+cleanup:
/* Don't leak memory if anything should go wrong */
if (result != 0) {
dev_kfree_skb(skb);
@@ -388,6 +395,12 @@ static int submit_tx_urb(struct hfa384x *hw, struct urb *tx_urb, gfp_t memflags)
struct net_device *netdev = hw->wlandev->netdev;
int result;
+ result = usb_urb_ep_type_check(&hw->tx_urb);
+ if (result) {
+ netdev_warn(hw->wlandev->netdev, "invalid tx endpoint");
+ goto done;
+ }
+
result = -ENOLINK;
if (netif_running(netdev)) {
if (!hw->wlandev->hwremoved &&
@@ -407,6 +420,7 @@ static int submit_tx_urb(struct hfa384x *hw, struct urb *tx_urb, gfp_t memflags)
}
}
+done:
return result;
}
--
2.27.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH] staging: wlan-ng: properly check endpoint types
@ 2020-07-18 15:58 ` Rustam Kovhaev
0 siblings, 0 replies; 8+ messages in thread
From: Rustam Kovhaev @ 2020-07-18 15:58 UTC (permalink / raw)
To: gregkh; +Cc: devel, syzbot+c2a1fa67c02faa0de723, linux-kernel, Rustam Kovhaev
As syzkaller detected, wlan-ng driver submits bulk urb without checking
that the endpoint type is actually bulk, add usb_urb_ep_type_check()
Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
---
drivers/staging/wlan-ng/hfa384x_usb.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
index fa1bf8b069fd..7cde60ea68a2 100644
--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -339,6 +339,12 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags)
hw->rx_urb_skb = skb;
+ result = usb_urb_ep_type_check(&hw->rx_urb);
+ if (result) {
+ netdev_warn(hw->wlandev->netdev, "invalid rx endpoint");
+ goto cleanup;
+ }
+
result = -ENOLINK;
if (!hw->wlandev->hwremoved &&
!test_bit(WORK_RX_HALT, &hw->usb_flags)) {
@@ -354,6 +360,7 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags)
}
}
+cleanup:
/* Don't leak memory if anything should go wrong */
if (result != 0) {
dev_kfree_skb(skb);
@@ -388,6 +395,12 @@ static int submit_tx_urb(struct hfa384x *hw, struct urb *tx_urb, gfp_t memflags)
struct net_device *netdev = hw->wlandev->netdev;
int result;
+ result = usb_urb_ep_type_check(&hw->tx_urb);
+ if (result) {
+ netdev_warn(hw->wlandev->netdev, "invalid tx endpoint");
+ goto done;
+ }
+
result = -ENOLINK;
if (netif_running(netdev)) {
if (!hw->wlandev->hwremoved &&
@@ -407,6 +420,7 @@ static int submit_tx_urb(struct hfa384x *hw, struct urb *tx_urb, gfp_t memflags)
}
}
+done:
return result;
}
--
2.27.0
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH] staging: wlan-ng: properly check endpoint types
2020-07-18 15:58 ` Rustam Kovhaev
@ 2020-07-19 9:23 ` Greg KH
-1 siblings, 0 replies; 8+ messages in thread
From: Greg KH @ 2020-07-19 9:23 UTC (permalink / raw)
To: Rustam Kovhaev; +Cc: devel, syzbot+c2a1fa67c02faa0de723, linux-kernel
On Sat, Jul 18, 2020 at 08:58:36AM -0700, Rustam Kovhaev wrote:
> As syzkaller detected, wlan-ng driver submits bulk urb without checking
> that the endpoint type is actually bulk, add usb_urb_ep_type_check()
>
> Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723
> Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
> ---
> drivers/staging/wlan-ng/hfa384x_usb.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
> index fa1bf8b069fd..7cde60ea68a2 100644
> --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> @@ -339,6 +339,12 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags)
>
> hw->rx_urb_skb = skb;
>
> + result = usb_urb_ep_type_check(&hw->rx_urb);
> + if (result) {
> + netdev_warn(hw->wlandev->netdev, "invalid rx endpoint");
> + goto cleanup;
> + }
In looking at this again, can you just make these checks in the probe
function, and abort binding the driver to the device at that point in
time? This feels really late in the init sequence.
The real problem here is in the hfa384x_create() function, where it
blindly takes the 1 and 2 endpoints and assumes that those are the
"correct type". How about checking the types there, and if they are
incorrect, returning an error from that function and have the caller
return the error as well.
That should keep anything else in the driver from being initialized and
set up, and stop bad devices from being bound to the driver at a much
earlier point in time.
Note, just checking for the valid type/direction of those endpoints
should be sufficient.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH] staging: wlan-ng: properly check endpoint types
@ 2020-07-19 9:23 ` Greg KH
0 siblings, 0 replies; 8+ messages in thread
From: Greg KH @ 2020-07-19 9:23 UTC (permalink / raw)
To: Rustam Kovhaev; +Cc: devel, syzbot+c2a1fa67c02faa0de723, linux-kernel
On Sat, Jul 18, 2020 at 08:58:36AM -0700, Rustam Kovhaev wrote:
> As syzkaller detected, wlan-ng driver submits bulk urb without checking
> that the endpoint type is actually bulk, add usb_urb_ep_type_check()
>
> Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723
> Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
> ---
> drivers/staging/wlan-ng/hfa384x_usb.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
> index fa1bf8b069fd..7cde60ea68a2 100644
> --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> @@ -339,6 +339,12 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags)
>
> hw->rx_urb_skb = skb;
>
> + result = usb_urb_ep_type_check(&hw->rx_urb);
> + if (result) {
> + netdev_warn(hw->wlandev->netdev, "invalid rx endpoint");
> + goto cleanup;
> + }
In looking at this again, can you just make these checks in the probe
function, and abort binding the driver to the device at that point in
time? This feels really late in the init sequence.
The real problem here is in the hfa384x_create() function, where it
blindly takes the 1 and 2 endpoints and assumes that those are the
"correct type". How about checking the types there, and if they are
incorrect, returning an error from that function and have the caller
return the error as well.
That should keep anything else in the driver from being initialized and
set up, and stop bad devices from being bound to the driver at a much
earlier point in time.
Note, just checking for the valid type/direction of those endpoints
should be sufficient.
thanks,
greg k-h
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH] staging: wlan-ng: properly check endpoint types
2020-07-19 9:23 ` Greg KH
@ 2020-07-19 18:12 ` Rustam Kovhaev
-1 siblings, 0 replies; 8+ messages in thread
From: Rustam Kovhaev @ 2020-07-19 18:12 UTC (permalink / raw)
To: Greg KH; +Cc: devel, syzbot+c2a1fa67c02faa0de723, linux-kernel
On Sun, Jul 19, 2020 at 11:23:38AM +0200, Greg KH wrote:
> On Sat, Jul 18, 2020 at 08:58:36AM -0700, Rustam Kovhaev wrote:
> > As syzkaller detected, wlan-ng driver submits bulk urb without checking
> > that the endpoint type is actually bulk, add usb_urb_ep_type_check()
> >
> > Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com
> > Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723
> > Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
> > ---
> > drivers/staging/wlan-ng/hfa384x_usb.c | 14 ++++++++++++++
> > 1 file changed, 14 insertions(+)
> >
> > diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
> > index fa1bf8b069fd..7cde60ea68a2 100644
> > --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> > +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> > @@ -339,6 +339,12 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags)
> >
> > hw->rx_urb_skb = skb;
> >
> > + result = usb_urb_ep_type_check(&hw->rx_urb);
> > + if (result) {
> > + netdev_warn(hw->wlandev->netdev, "invalid rx endpoint");
> > + goto cleanup;
> > + }
>
> In looking at this again, can you just make these checks in the probe
> function, and abort binding the driver to the device at that point in
> time? This feels really late in the init sequence.
>
> The real problem here is in the hfa384x_create() function, where it
> blindly takes the 1 and 2 endpoints and assumes that those are the
> "correct type". How about checking the types there, and if they are
> incorrect, returning an error from that function and have the caller
> return the error as well.
>
> That should keep anything else in the driver from being initialized and
> set up, and stop bad devices from being bound to the driver at a much
> earlier point in time.
>
> Note, just checking for the valid type/direction of those endpoints
> should be sufficient.
>
tyvm for the feedback! makes perfect sense, i'll send a new patch
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH] staging: wlan-ng: properly check endpoint types
@ 2020-07-19 18:12 ` Rustam Kovhaev
0 siblings, 0 replies; 8+ messages in thread
From: Rustam Kovhaev @ 2020-07-19 18:12 UTC (permalink / raw)
To: Greg KH; +Cc: devel, syzbot+c2a1fa67c02faa0de723, linux-kernel
On Sun, Jul 19, 2020 at 11:23:38AM +0200, Greg KH wrote:
> On Sat, Jul 18, 2020 at 08:58:36AM -0700, Rustam Kovhaev wrote:
> > As syzkaller detected, wlan-ng driver submits bulk urb without checking
> > that the endpoint type is actually bulk, add usb_urb_ep_type_check()
> >
> > Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com
> > Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723
> > Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
> > ---
> > drivers/staging/wlan-ng/hfa384x_usb.c | 14 ++++++++++++++
> > 1 file changed, 14 insertions(+)
> >
> > diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
> > index fa1bf8b069fd..7cde60ea68a2 100644
> > --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> > +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> > @@ -339,6 +339,12 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags)
> >
> > hw->rx_urb_skb = skb;
> >
> > + result = usb_urb_ep_type_check(&hw->rx_urb);
> > + if (result) {
> > + netdev_warn(hw->wlandev->netdev, "invalid rx endpoint");
> > + goto cleanup;
> > + }
>
> In looking at this again, can you just make these checks in the probe
> function, and abort binding the driver to the device at that point in
> time? This feels really late in the init sequence.
>
> The real problem here is in the hfa384x_create() function, where it
> blindly takes the 1 and 2 endpoints and assumes that those are the
> "correct type". How about checking the types there, and if they are
> incorrect, returning an error from that function and have the caller
> return the error as well.
>
> That should keep anything else in the driver from being initialized and
> set up, and stop bad devices from being bound to the driver at a much
> earlier point in time.
>
> Note, just checking for the valid type/direction of those endpoints
> should be sufficient.
>
tyvm for the feedback! makes perfect sense, i'll send a new patch
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] staging: wlan-ng: properly check endpoint types
@ 2020-07-22 16:10 ` Rustam Kovhaev
0 siblings, 0 replies; 8+ messages in thread
From: Rustam Kovhaev @ 2020-07-22 16:10 UTC (permalink / raw)
To: gregkh; +Cc: devel, linux-kernel, Rustam Kovhaev
As syzkaller detected, wlan-ng driver does not do sanity check of
endpoints in prism2sta_probe_usb(), add check for xfer direction and type
Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
---
drivers/staging/wlan-ng/prism2usb.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/wlan-ng/prism2usb.c b/drivers/staging/wlan-ng/prism2usb.c
index 4689b2170e4f..456603fd26c0 100644
--- a/drivers/staging/wlan-ng/prism2usb.c
+++ b/drivers/staging/wlan-ng/prism2usb.c
@@ -61,11 +61,25 @@ static int prism2sta_probe_usb(struct usb_interface *interface,
const struct usb_device_id *id)
{
struct usb_device *dev;
-
+ const struct usb_endpoint_descriptor *epd;
+ const struct usb_host_interface *iface_desc = interface->cur_altsetting;
struct wlandevice *wlandev = NULL;
struct hfa384x *hw = NULL;
int result = 0;
+ if (iface_desc->desc.bNumEndpoints != 2) {
+ result = -ENODEV;
+ goto failed;
+ }
+
+ result = -EINVAL;
+ epd = &iface_desc->endpoint[1].desc;
+ if (!usb_endpoint_is_bulk_in(epd))
+ goto failed;
+ epd = &iface_desc->endpoint[2].desc;
+ if (!usb_endpoint_is_bulk_out(epd))
+ goto failed;
+
dev = interface_to_usbdev(interface);
wlandev = create_wlan();
if (!wlandev) {
--
2.27.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH] staging: wlan-ng: properly check endpoint types
@ 2020-07-22 16:10 ` Rustam Kovhaev
0 siblings, 0 replies; 8+ messages in thread
From: Rustam Kovhaev @ 2020-07-22 16:10 UTC (permalink / raw)
To: gregkh; +Cc: devel, linux-kernel, Rustam Kovhaev
As syzkaller detected, wlan-ng driver does not do sanity check of
endpoints in prism2sta_probe_usb(), add check for xfer direction and type
Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
---
drivers/staging/wlan-ng/prism2usb.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/wlan-ng/prism2usb.c b/drivers/staging/wlan-ng/prism2usb.c
index 4689b2170e4f..456603fd26c0 100644
--- a/drivers/staging/wlan-ng/prism2usb.c
+++ b/drivers/staging/wlan-ng/prism2usb.c
@@ -61,11 +61,25 @@ static int prism2sta_probe_usb(struct usb_interface *interface,
const struct usb_device_id *id)
{
struct usb_device *dev;
-
+ const struct usb_endpoint_descriptor *epd;
+ const struct usb_host_interface *iface_desc = interface->cur_altsetting;
struct wlandevice *wlandev = NULL;
struct hfa384x *hw = NULL;
int result = 0;
+ if (iface_desc->desc.bNumEndpoints != 2) {
+ result = -ENODEV;
+ goto failed;
+ }
+
+ result = -EINVAL;
+ epd = &iface_desc->endpoint[1].desc;
+ if (!usb_endpoint_is_bulk_in(epd))
+ goto failed;
+ epd = &iface_desc->endpoint[2].desc;
+ if (!usb_endpoint_is_bulk_out(epd))
+ goto failed;
+
dev = interface_to_usbdev(interface);
wlandev = create_wlan();
if (!wlandev) {
--
2.27.0
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-07-22 16:11 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-18 15:58 [PATCH] staging: wlan-ng: properly check endpoint types Rustam Kovhaev
2020-07-18 15:58 ` Rustam Kovhaev
2020-07-19 9:23 ` Greg KH
2020-07-19 9:23 ` Greg KH
2020-07-19 18:12 ` Rustam Kovhaev
2020-07-19 18:12 ` Rustam Kovhaev
2020-07-22 16:10 Rustam Kovhaev
2020-07-22 16:10 ` Rustam Kovhaev
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.