On Wed, 22 Apr 2020 12:32:20 +0200, Oliver Neukum wrote: > > Am Dienstag, den 21.04.2020, 16:45 -0700 schrieb syzbot: > > syzbot has found a reproducer for the following crash on: > > > > HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta.. > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=12da0b58100000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf > > dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1146eb17e00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=159d136fe00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+cabfa4b5b05ff6be4ef0@xxxxxxxxxxxxxxxxxxxxxxxxx > > Hi, > > this looks to be technically caused by > > commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e > Author: Takashi Iwai <tiwai@xxxxxxx> > Date: Thu Feb 6 16:45:27 2020 +0100 > > media: go7007: Fix URB type for interrupt handling > > It introduces this check: > > + ep = usb->usbdev->ep_in[4]; > + if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) > > However, there is no guarantee ep_in[4] exists, if a malicious device > were involved. But, I do not want to just add a check for NULL. That > would just paper over the bug and the driver would fail at a later > stage. Yes, the patch assumed the existence of ep 4, as you can see in the later code, the driver blindly uses the fixed endpoint for the urb. So we'll hit a problem in anyway. > How many endpoints do these devices need to have to operate? Not sure about that, but the NULL-check of ep there should be right. If ep_in[4] is NULL, the probe should fail before going to the next USB_ENDPOINT_XFER_BULK check. thanks, Takashi
