All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Alan Stern <stern@rowland.harvard.edu>,
	syzbot+23be03b56c5259385d79@syzkaller.appspotmail.com
Subject: [PATCH 5.15 33/69] USB: sisusbvga: Add endpoint checks
Date: Sun, 28 May 2023 20:11:53 +0100	[thread overview]
Message-ID: <20230528190829.605946701@linuxfoundation.org> (raw)
In-Reply-To: <20230528190828.358612414@linuxfoundation.org>

From: Alan Stern <stern@rowland.harvard.edu>

commit df05a9b05e466a46725564528b277d0c570d0104 upstream.

The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver:

------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95
RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003
R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline]
 sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379
 sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline]
 sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline]
 sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177
 sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869
...

The problem was caused by the fact that the driver does not check
whether the endpoints it uses are actually present and have the
appropriate types.  This can be fixed by adding a simple check of
the endpoints.

Link: https://syzkaller.appspot.com/bug?extid=23be03b56c5259385d79
Reported-and-tested-by: syzbot+23be03b56c5259385d79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/48ef98f7-51ae-4f63-b8d3-0ef2004bb60a@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/misc/sisusbvga/sisusb.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/drivers/usb/misc/sisusbvga/sisusb.c
+++ b/drivers/usb/misc/sisusbvga/sisusb.c
@@ -3014,6 +3014,20 @@ static int sisusb_probe(struct usb_inter
 	struct usb_device *dev = interface_to_usbdev(intf);
 	struct sisusb_usb_data *sisusb;
 	int retval = 0, i;
+	static const u8 ep_addresses[] = {
+		SISUSB_EP_GFX_IN | USB_DIR_IN,
+		SISUSB_EP_GFX_OUT | USB_DIR_OUT,
+		SISUSB_EP_GFX_BULK_OUT | USB_DIR_OUT,
+		SISUSB_EP_GFX_LBULK_OUT | USB_DIR_OUT,
+		SISUSB_EP_BRIDGE_IN | USB_DIR_IN,
+		SISUSB_EP_BRIDGE_OUT | USB_DIR_OUT,
+		0};
+
+	/* Are the expected endpoints present? */
+	if (!usb_check_bulk_endpoints(intf, ep_addresses)) {
+		dev_err(&intf->dev, "Invalid USB2VGA device\n");
+		return -EINVAL;
+	}
 
 	dev_info(&dev->dev, "USB2VGA dongle found at address %d\n",
 			dev->devnum);



  parent reply	other threads:[~2023-05-28 19:48 UTC|newest]

Thread overview: 77+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-28 19:11 [PATCH 5.15 00/69] 5.15.114-rc1 review Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 01/69] usb: gadget: Properly configure the device for remote wakeup Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 02/69] usb: dwc3: fix gadget mode suspend interrupt handler issue Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 03/69] dt-bindings: ata: ahci-ceva: convert to yaml Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 04/69] dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 05/69] watchdog: sp5100_tco: Immediately trigger upon starting Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 06/69] ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15 Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 07/69] spi: fsl-spi: Re-organise transfer bits_per_word adaptation Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 08/69] spi: fsl-cpm: Use 16 bit mode for large transfers with even size Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 09/69] ocfs2: Switch to security_inode_init_security() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 10/69] arm64: Also reset KASAN tag if page is not PG_mte_tagged Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 11/69] ALSA: hda/ca0132: add quirk for EVGA X299 DARK Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 12/69] ALSA: hda: Fix unhandled register update during auto-suspend period Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 13/69] ALSA: hda/realtek: Enable headset onLenovo M70/M90 Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 14/69] mmc: sdhci-esdhc-imx: make "no-mmc-hs400" works Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 15/69] ASoC: rt5682: Disable jack detection interrupt during suspend Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 16/69] net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 17/69] m68k: Move signal frame following exception on 68020/030 Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 18/69] parisc: Handle kgdb breakpoints only in kernel context Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 19/69] parisc: Allow to reboot machine after system halt Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 20/69] gpio: mockup: Fix mode of debugfs files Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 21/69] btrfs: use nofs when cleaning up aborted transactions Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 22/69] dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 23/69] x86/mm: Avoid incomplete Global INVLPG flushes Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 24/69] selftests/memfd: Fix unknown type name build failure Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 25/69] parisc: Fix flush_dcache_page() for usage from irq context Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 26/69] perf/x86/uncore: Correct the number of CHAs on SPR Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 27/69] x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 28/69] debugobjects: Dont wake up kswapd from fill_pool() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 29/69] fbdev: udlfb: Fix endpoint check Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 30/69] net: fix stack overflow when LRO is disabled for virtual interfaces Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 31/69] udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 32/69] USB: core: Add routines for endpoint checks in old drivers Greg Kroah-Hartman
2023-05-28 19:11 ` Greg Kroah-Hartman [this message]
2023-05-28 19:11 ` [PATCH 5.15 34/69] media: radio-shark: Add endpoint checks Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 35/69] ASoC: lpass: Fix for KASAN use_after_free out of bounds Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 36/69] net: fix skb leak in __skb_tstamp_tx() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 37/69] selftests: fib_tests: mute cleanup error message Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 38/69] octeontx2-pf: Fix TSOv6 offload Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.15 39/69] bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 40/69] ipv6: Fix out-of-bounds access in ipv6_find_tlv() Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 41/69] cifs: mapchars mount option ignored Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 42/69] power: supply: leds: Fix blink to LED on transition Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 43/69] power: supply: mt6360: add a check of devm_work_autocancel in mt6360_charger_probe Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 44/69] power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 45/69] power: supply: bq27xxx: Fix I2C IRQ race on remove Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 46/69] power: supply: bq27xxx: Fix poll_interval handling and races " Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 47/69] power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status() Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 48/69] power: supply: sbs-charger: Fix INHIBITED bit for Status reg Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 49/69] firmware: arm_ffa: Check if ffa_driver remove is present before executing Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 50/69] firmware: arm_ffa: Fix FFA device names for logical partitions Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 51/69] fs: fix undefined behavior in bit shift for SB_NOUSER Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 52/69] regulator: pca9450: Fix BUCK2 enable_mask Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 53/69] coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet() Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 54/69] xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 55/69] x86/show_trace_log_lvl: Ensure stack pointer is aligned, again Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 56/69] ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 57/69] sctp: fix an issue that plpmtu can never go to complete state Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 58/69] forcedeth: Fix an error handling path in nv_probe() Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 59/69] platform/mellanox: mlxbf-pmc: fix sscanf() error checking Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 60/69] net/mlx5e: do as little as possible in napi poll when budget is 0 Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 61/69] net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 62/69] net/mlx5: DR, Check force-loopback RC QP capability independently from RoCE Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 63/69] net/mlx5: Fix error message when failing to allocate device memory Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 64/69] net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 65/69] arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 66/69] firmware: arm_ffa: Set reserved/MBZ fields to zero in the memory descriptors Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 67/69] regulator: mt6359: add read check for PMIC MT6359 Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 68/69] 3c589_cs: Fix an error handling path in tc589_probe() Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.15 69/69] net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE Greg Kroah-Hartman
2023-05-29  5:03 ` [PATCH 5.15 00/69] 5.15.114-rc1 review Bagas Sanjaya
2023-05-29 15:52 ` Naresh Kamboju
2023-05-29 16:06 ` Guenter Roeck
2023-05-30  6:49 ` Ron Economos
2023-05-30 11:56 ` Chris Paterson
2023-05-30 17:00 ` Allen Pais
2023-05-30 18:52 ` Florian Fainelli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230528190829.605946701@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+23be03b56c5259385d79@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.