All of lore.kernel.org
 help / color / mirror / Atom feed
From: bugzilla-daemon@bugzilla.kernel.org
To: linux-usb@vger.kernel.org
Subject: [Bug 214437] New: usb: hid: u2fzero: buffer overrun in u2fzero_rng_read
Date: Thu, 16 Sep 2021 15:53:49 +0000	[thread overview]
Message-ID: <bug-214437-208809@https.bugzilla.kernel.org/> (raw)

https://bugzilla.kernel.org/show_bug.cgi?id=214437

            Bug ID: 214437
           Summary: usb: hid: u2fzero: buffer overrun in u2fzero_rng_read
           Product: Drivers
           Version: 2.5
    Kernel Version: 5.11.0
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: USB
          Assignee: drivers_usb@kernel-bugs.kernel.org
          Reporter: andrew@shadura.me
        Regression: No

Sometimes the driver crashes with a buffer overflow upon the device insertion.
After the crash, often neither U2F nor RNG functionality is available.

usb 2-2: USB disconnect, device number 18
detected buffer overflow in memcpy
------------[ cut here ]------------
kernel BUG at lib/string.c:1149!
invalid opcode: 0000 [#1] SMP PTI
CPU: 1 PID: 61299 Comm: hwrng Tainted: G          IOE     5.11.0-25-generic
#27-Ubuntu
Hardware name: LENOVO 20CM001UUK/20CM001UUK, BIOS N10ET27W (1.04 ) 12/01/2014
RIP: 0010:fortify_panic+0x13/0x15
Code: 35 96 77 36 01 48 c7 c7 6b 01 81 8a e8 d3 c3 fe ff 41 5c 41 5d 5d c3 55
48 89 fe 48 c7 c7 b8 01 81 8a 48 89 e5 e8 ba c3 fe ff <0f> 0b 48 c7 c7 90 f7 48
8a e8 df ff ff ff 48 c7 c7 98 f7 48 8a e8
RSP: 0018:ffffb04803df3e28 EFLAGS: 00010246
RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8de3bdc58ac0 RDI: ffff8de3bdc58ac0
RBP: ffffb04803df3e28 R08: 0000000000000000 R09: ffffb04803df3c20
R10: ffffb04803df3c18 R11: ffffffff8af53588 R12: ffff8de089aa7440
R13: ffff8de2c3862598 R14: 0000000000000000 R15: ffffb0480366f428
FS:  0000000000000000(0000) GS:ffff8de3bdc40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa10098f000 CR3: 00000002bec10004 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 u2fzero_rng_read.cold+0xc/0xc [hid_u2fzero]
 hwrng_fillfn+0xd8/0x180
 kthread+0x12f/0x150
 ? enable_best_rng+0x70/0x70
 ? __kthread_bind_mask+0x70/0x70
 ret_from_fork+0x22/0x30
Modules linked in: hid_u2fzero hid_generic usbhid hid usb_serial_simple
usbserial ccm xt_nat veth nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype
br_netfilter bridge stp llc vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) bnep
snd_seq_dummy snd_hrtimer ip6t_REJECT nf_reject_ipv6 ip6t_rpfilter xt_tcpudp
ipt_REJECT nf_reject_ipv4 xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat
nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_counter overlay ip6_tables
nft_compat ip_set nf_tables nfnetlink nls_iso8859_1 binfmt_misc joydev
intel_rapl_msr mei_hdcp snd_hda_codec_realtek snd_hda_codec_generic
snd_hda_codec_hdmi uvcvideo snd_hda_intel btusb btrtl intel_rapl_common
snd_intel_dspcfg soundwire_intel x86_pkg_temp_thermal
soundwire_generic_allocation intel_powerclamp btbcm soundwire_cadence coretemp
snd_hda_codec btintel snd_hda_core cdc_mbim kvm_intel cdc_wdm snd_hwdep
bluetooth cdc_ncm cdc_ether snd_seq_midi ecdh_generic soundwire_bus
snd_seq_midi_event cdc_acm ecc usbnet mii kvm
 rmi_smbus snd_soc_core snd_compress rapl rmi_core intel_cstate ac97_bus
snd_rawmidi snd_pcm_dmaengine videobuf2_vmalloc snd_pcm input_leds iwlmvm
videobuf2_memops mac80211 serio_raw wmi_bmof efi_pstore videobuf2_v4l2 libarc4
videobuf2_common snd_seq iwlwifi snd_seq_device snd_timer videodev at24
intel_pch_thermal mc cfg80211 thinkpad_acpi nvram ledtrig_audio mei_me mei snd
soundcore mac_hid sch_fq_codel pkcs8_key_parser msr parport_pc ppdev lp parport
ip_tables x_tables autofs4 btrfs blake2b_generic xor raid6_pq libcrc32c
dm_crypt crct10dif_pclmul i915 rtsx_pci_sdmmc crc32_pclmul i2c_algo_bit
ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper lpc_ich
drm_kms_helper syscopyarea sysfillrect psmouse sysimgblt fb_sys_fops cec ahci
i2c_i801 libahci rc_core i2c_smbus e1000e rtsx_pci drm xhci_pci
xhci_pci_renesas wmi video
---[ end trace e7936f97d201c167 ]---
RIP: 0010:fortify_panic+0x13/0x15
Code: 35 96 77 36 01 48 c7 c7 6b 01 81 8a e8 d3 c3 fe ff 41 5c 41 5d 5d c3 55
48 89 fe 48 c7 c7 b8 01 81 8a 48 89 e5 e8 ba c3 fe ff <0f> 0b 48 c7 c7 90 f7 48
8a e8 df ff ff ff 48 c7 c7 98 f7 48 8a e8
RSP: 0018:ffffb04803df3e28 EFLAGS: 00010246
RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8de3bdc58ac0 RDI: ffff8de3bdc58ac0
RBP: ffffb04803df3e28 R08: 0000000000000000 R09: ffffb04803df3c20
R10: ffffb04803df3c18 R11: ffffffff8af53588 R12: ffff8de089aa7440
R13: ffff8de2c3862598 R14: 0000000000000000 R15: ffffb0480366f428
FS:  0000000000000000(0000) GS:ffff8de3bdc40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa10098f000 CR3: 0000000194fa6005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

             reply	other threads:[~2021-09-16 15:53 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-16 15:53 bugzilla-daemon [this message]
2021-09-16 15:55 ` [Bug 214437] usb: hid: u2fzero: buffer overrun in u2fzero_rng_read bugzilla-daemon
2021-09-17  9:49 ` bugzilla-daemon
2021-10-03 10:00 ` bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-214437-208809@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.