Am Dienstag, den 21.04.2020, 16:45 -0700 schrieb syzbot: > syzbot has found a reproducer for the following crash on: > > HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta.. > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=12da0b58100000 > kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf > dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1146eb17e00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=159d136fe00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+cabfa4b5b05ff6be4ef0@xxxxxxxxxxxxxxxxxxxxxxxxx Hi, this looks to be technically caused by commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e Author: Takashi Iwai <tiwai@xxxxxxx> Date: Thu Feb 6 16:45:27 2020 +0100 media: go7007: Fix URB type for interrupt handling It introduces this check: + ep = usb->usbdev->ep_in[4]; + if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) However, there is no guarantee ep_in[4] exists, if a malicious device were involved. But, I do not want to just add a check for NULL. That would just paper over the bug and the driver would fail at a later stage. How many endpoints do these devices need to have to operate? Regards Oliver
