* [PATCH] USB: core: limit access to rawdescriptors which were not allocated
@ 2020-08-25 16:16 yanfei.xu
2020-08-25 17:56 ` kernel test robot
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: yanfei.xu @ 2020-08-25 16:16 UTC (permalink / raw)
To: gregkh; +Cc: linux-usb, linux-kernel
From: Yanfei Xu <yanfei.xu@windriver.com>
When using systemcall to read the rawdescriptors, make sure we won't
access to the rawdescriptors never allocated, which are number
exceed the USB_MAXCONFIG.
Reported-by: syzbot+256e56ddde8b8957eabd@syzkaller.appspotmail.com
Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
---
drivers/usb/core/sysfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
index a2ca38e25e0c..1a7a625e5f55 100644
--- a/drivers/usb/core/sysfs.c
+++ b/drivers/usb/core/sysfs.c
@@ -895,7 +895,8 @@ read_descriptors(struct file *filp, struct kobject *kobj,
* configurations (config plus subsidiary descriptors).
*/
for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations &&
- nleft > 0; ++cfgno) {
+ nleft > 0 &&
+ cfgno < USB_MAXCONFIG; ++cfgno) {
if (cfgno < 0) {
src = &udev->descriptor;
srclen = sizeof(struct usb_device_descriptor);
--
2.18.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] USB: core: limit access to rawdescriptors which were not allocated
2020-08-25 16:16 [PATCH] USB: core: limit access to rawdescriptors which were not allocated yanfei.xu
@ 2020-08-25 17:56 ` kernel test robot
2020-08-25 18:00 ` Alan Stern
2020-08-25 21:35 ` kernel test robot
2 siblings, 0 replies; 5+ messages in thread
From: kernel test robot @ 2020-08-25 17:56 UTC (permalink / raw)
To: yanfei.xu, gregkh; +Cc: kbuild-all, linux-usb, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 3210 bytes --]
Hi,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on usb/usb-testing]
[also build test ERROR on balbi-usb/testing/next peter.chen-usb/ci-for-usb-next v5.9-rc2 next-20200825]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/yanfei-xu-windriver-com/USB-core-limit-access-to-rawdescriptors-which-were-not-allocated/20200826-002050
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
config: i386-allyesconfig (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce (this is a W=1 build):
# save the attached .config to linux build tree
make W=1 ARCH=i386
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
drivers/usb/core/sysfs.c: In function 'read_descriptors':
>> drivers/usb/core/sysfs.c:899:12: error: 'USB_MAXCONFIG' undeclared (first use in this function); did you mean 'USB_DT_CONFIG'?
899 | cfgno < USB_MAXCONFIG; ++cfgno) {
| ^~~~~~~~~~~~~
| USB_DT_CONFIG
drivers/usb/core/sysfs.c:899:12: note: each undeclared identifier is reported only once for each function it appears in
# https://github.com/0day-ci/linux/commit/dda85cff0852edc4723d1175486a50024ee7289a
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review yanfei-xu-windriver-com/USB-core-limit-access-to-rawdescriptors-which-were-not-allocated/20200826-002050
git checkout dda85cff0852edc4723d1175486a50024ee7289a
vim +899 drivers/usb/core/sysfs.c
880
881 static ssize_t
882 read_descriptors(struct file *filp, struct kobject *kobj,
883 struct bin_attribute *attr,
884 char *buf, loff_t off, size_t count)
885 {
886 struct device *dev = kobj_to_dev(kobj);
887 struct usb_device *udev = to_usb_device(dev);
888 size_t nleft = count;
889 size_t srclen, n;
890 int cfgno;
891 void *src;
892
893 /* The binary attribute begins with the device descriptor.
894 * Following that are the raw descriptor entries for all the
895 * configurations (config plus subsidiary descriptors).
896 */
897 for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations &&
898 nleft > 0 &&
> 899 cfgno < USB_MAXCONFIG; ++cfgno) {
900 if (cfgno < 0) {
901 src = &udev->descriptor;
902 srclen = sizeof(struct usb_device_descriptor);
903 } else {
904 src = udev->rawdescriptors[cfgno];
905 srclen = __le16_to_cpu(udev->config[cfgno].desc.
906 wTotalLength);
907 }
908 if (off < srclen) {
909 n = min(nleft, srclen - (size_t) off);
910 memcpy(buf, src + off, n);
911 nleft -= n;
912 buf += n;
913 off = 0;
914 } else {
915 off -= srclen;
916 }
917 }
918 return count - nleft;
919 }
920
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 74720 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] USB: core: limit access to rawdescriptors which were not allocated
2020-08-25 16:16 [PATCH] USB: core: limit access to rawdescriptors which were not allocated yanfei.xu
2020-08-25 17:56 ` kernel test robot
@ 2020-08-25 18:00 ` Alan Stern
2020-08-26 6:56 ` Xu, Yanfei
2020-08-25 21:35 ` kernel test robot
2 siblings, 1 reply; 5+ messages in thread
From: Alan Stern @ 2020-08-25 18:00 UTC (permalink / raw)
To: yanfei.xu; +Cc: gregkh, linux-usb, linux-kernel
On Wed, Aug 26, 2020 at 12:16:59AM +0800, yanfei.xu@windriver.com wrote:
> From: Yanfei Xu <yanfei.xu@windriver.com>
>
> When using systemcall to read the rawdescriptors, make sure we won't
> access to the rawdescriptors never allocated, which are number
> exceed the USB_MAXCONFIG.
>
> Reported-by: syzbot+256e56ddde8b8957eabd@syzkaller.appspotmail.com
> Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> ---
> drivers/usb/core/sysfs.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
> index a2ca38e25e0c..1a7a625e5f55 100644
> --- a/drivers/usb/core/sysfs.c
> +++ b/drivers/usb/core/sysfs.c
> @@ -895,7 +895,8 @@ read_descriptors(struct file *filp, struct kobject *kobj,
> * configurations (config plus subsidiary descriptors).
> */
> for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations &&
> - nleft > 0; ++cfgno) {
> + nleft > 0 &&
> + cfgno < USB_MAXCONFIG; ++cfgno) {
> if (cfgno < 0) {
> src = &udev->descriptor;
> srclen = sizeof(struct usb_device_descriptor);
This is not the right way to fix the problem.
Instead, we should make sure that udev->descriptor.bNumConfigurations is
always <= USB_MAXCONFIG. That's what this code in
usb_get_configuration() is supposed to do:
int ncfg = dev->descriptor.bNumConfigurations;
...
if (ncfg > USB_MAXCONFIG) {
dev_warn(ddev, "too many configurations: %d, "
"using maximum allowed: %d\n", ncfg, USB_MAXCONFIG);
dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
}
If you want to fix the bug, you need to figure out why this isn't
working.
Alan Stern
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] USB: core: limit access to rawdescriptors which were not allocated
2020-08-25 16:16 [PATCH] USB: core: limit access to rawdescriptors which were not allocated yanfei.xu
2020-08-25 17:56 ` kernel test robot
2020-08-25 18:00 ` Alan Stern
@ 2020-08-25 21:35 ` kernel test robot
2 siblings, 0 replies; 5+ messages in thread
From: kernel test robot @ 2020-08-25 21:35 UTC (permalink / raw)
To: yanfei.xu, gregkh; +Cc: kbuild-all, clang-built-linux, linux-usb, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 3383 bytes --]
Hi,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on usb/usb-testing]
[also build test ERROR on balbi-usb/testing/next peter.chen-usb/ci-for-usb-next v5.9-rc2 next-20200825]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/yanfei-xu-windriver-com/USB-core-limit-access-to-rawdescriptors-which-were-not-allocated/20200826-002050
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
config: arm-randconfig-r015-20200826 (attached as .config)
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project 77e5a195f818b9ace91f7b12ab948b21d7918238)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
>> drivers/usb/core/sysfs.c:899:12: error: use of undeclared identifier 'USB_MAXCONFIG'
cfgno < USB_MAXCONFIG; ++cfgno) {
^
1 error generated.
# https://github.com/0day-ci/linux/commit/dda85cff0852edc4723d1175486a50024ee7289a
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review yanfei-xu-windriver-com/USB-core-limit-access-to-rawdescriptors-which-were-not-allocated/20200826-002050
git checkout dda85cff0852edc4723d1175486a50024ee7289a
vim +/USB_MAXCONFIG +899 drivers/usb/core/sysfs.c
880
881 static ssize_t
882 read_descriptors(struct file *filp, struct kobject *kobj,
883 struct bin_attribute *attr,
884 char *buf, loff_t off, size_t count)
885 {
886 struct device *dev = kobj_to_dev(kobj);
887 struct usb_device *udev = to_usb_device(dev);
888 size_t nleft = count;
889 size_t srclen, n;
890 int cfgno;
891 void *src;
892
893 /* The binary attribute begins with the device descriptor.
894 * Following that are the raw descriptor entries for all the
895 * configurations (config plus subsidiary descriptors).
896 */
897 for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations &&
898 nleft > 0 &&
> 899 cfgno < USB_MAXCONFIG; ++cfgno) {
900 if (cfgno < 0) {
901 src = &udev->descriptor;
902 srclen = sizeof(struct usb_device_descriptor);
903 } else {
904 src = udev->rawdescriptors[cfgno];
905 srclen = __le16_to_cpu(udev->config[cfgno].desc.
906 wTotalLength);
907 }
908 if (off < srclen) {
909 n = min(nleft, srclen - (size_t) off);
910 memcpy(buf, src + off, n);
911 nleft -= n;
912 buf += n;
913 off = 0;
914 } else {
915 off -= srclen;
916 }
917 }
918 return count - nleft;
919 }
920
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 34853 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] USB: core: limit access to rawdescriptors which were not allocated
2020-08-25 18:00 ` Alan Stern
@ 2020-08-26 6:56 ` Xu, Yanfei
0 siblings, 0 replies; 5+ messages in thread
From: Xu, Yanfei @ 2020-08-26 6:56 UTC (permalink / raw)
To: Alan Stern; +Cc: gregkh, linux-usb, linux-kernel
On 8/26/20 2:00 AM, Alan Stern wrote:
> On Wed, Aug 26, 2020 at 12:16:59AM +0800, yanfei.xu@windriver.com wrote:
>> From: Yanfei Xu <yanfei.xu@windriver.com>
>>
>> When using systemcall to read the rawdescriptors, make sure we won't
>> access to the rawdescriptors never allocated, which are number
>> exceed the USB_MAXCONFIG.
>>
>> Reported-by: syzbot+256e56ddde8b8957eabd@syzkaller.appspotmail.com
>> Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
>> ---
>> drivers/usb/core/sysfs.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
>> index a2ca38e25e0c..1a7a625e5f55 100644
>> --- a/drivers/usb/core/sysfs.c
>> +++ b/drivers/usb/core/sysfs.c
>> @@ -895,7 +895,8 @@ read_descriptors(struct file *filp, struct kobject *kobj,
>> * configurations (config plus subsidiary descriptors).
>> */
>> for (cfgno = -1; cfgno < udev->descriptor.bNumConfigurations &&
>> - nleft > 0; ++cfgno) {
>> + nleft > 0 &&
>> + cfgno < USB_MAXCONFIG; ++cfgno) {
>> if (cfgno < 0) {
>> src = &udev->descriptor;
>> srclen = sizeof(struct usb_device_descriptor);
>
> This is not the right way to fix the problem.
>
> Instead, we should make sure that udev->descriptor.bNumConfigurations is
> always <= USB_MAXCONFIG. That's what this code in
> usb_get_configuration() is supposed to do:
>
> int ncfg = dev->descriptor.bNumConfigurations;
> ...
>
> if (ncfg > USB_MAXCONFIG) {
> dev_warn(ddev, "too many configurations: %d, "
> "using maximum allowed: %d\n", ncfg, USB_MAXCONFIG);
> dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
> }
>
> If you want to fix the bug, you need to figure out why this isn't
> working.
Thanks for you suggestion. The patch is not right. I'll try to look
into the root cause.
Regard,
Yanfei.
>
> Alan Stern
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-08-26 6:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-25 16:16 [PATCH] USB: core: limit access to rawdescriptors which were not allocated yanfei.xu
2020-08-25 17:56 ` kernel test robot
2020-08-25 18:00 ` Alan Stern
2020-08-26 6:56 ` Xu, Yanfei
2020-08-25 21:35 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).