From: "Heiko Stübner" <heiko@sntech.de>
To: hminas@synopsys.com, gregkh@linuxfoundation.org
Cc: christoph.muellner@theobroma-systems.com, paulz@synopsys.com,
yousaf.kaukab@intel.com, balbi@ti.com, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] usb: dwc2: Fix endpoint direction check in ep_from_windex
Date: Wed, 27 Jan 2021 11:40:48 +0100 [thread overview]
Message-ID: <8309688.OUTRe80PYV@diego> (raw)
In-Reply-To: <20210125191324.1981199-1-heiko@sntech.de>
Am Montag, 25. Januar 2021, 20:13:24 CET schrieb Heiko Stuebner:
> From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
>
> dwc2_hsotg_process_req_status uses ep_from_windex() to retrieve
> the endpoint for the index provided in the wIndex request param.
>
> In a test-case with a rndis gadget running and sending a malformed
> packet to it like:
> dev.ctrl_transfer(
> 0x82, # bmRequestType
> 0x00, # bRequest
> 0x0000, # wValue
> 0x0001, # wIndex
> 0x00 # wLength
> )
> it is possible to cause a crash:
>
> [ 217.533022] dwc2 ff300000.usb: dwc2_hsotg_process_req_status: USB_REQ_GET_STATUS
> [ 217.559003] Unable to handle kernel read from unreadable memory at virtual address 0000000000000088
> ...
> [ 218.313189] Call trace:
> [ 218.330217] ep_from_windex+0x3c/0x54
> [ 218.348565] usb_gadget_giveback_request+0x10/0x20
> [ 218.368056] dwc2_hsotg_complete_request+0x144/0x184
>
> This happens because ep_from_windex wants to compare the endpoint
> direction even if index_to_ep() didn't return an endpoint due to
> the direction not matching.
>
> The fix is easy insofar that the actual direction check is already
> happening when calling index_to_ep() which will return NULL if there
> is no endpoint for the targeted direction, so the offending check
> can go away completely.
>
> Fixes: c6f5c050e2a7 ("usb: dwc2: gadget: add bi-directional endpoint support")
> Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
> Cc: stable@vger.kernel.org
superseeded by v3, which includes an appropriate Reported-by tag
and removes an now unused variable (in v2).
prev parent reply other threads:[~2021-01-27 11:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-25 19:13 [PATCH] usb: dwc2: Fix endpoint direction check in ep_from_windex Heiko Stuebner
2021-01-27 10:40 ` Heiko Stübner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8309688.OUTRe80PYV@diego \
--to=heiko@sntech.de \
--cc=balbi@ti.com \
--cc=christoph.muellner@theobroma-systems.com \
--cc=gregkh@linuxfoundation.org \
--cc=hminas@synopsys.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=paulz@synopsys.com \
--cc=stable@vger.kernel.org \
--cc=yousaf.kaukab@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.