On Thu, 28 Jul 2016, Alan Stern wrote: > On Thu, 28 Jul 2016, Greg KH wrote: > > > On Thu, Jul 28, 2016 at 12:23:01PM -0400, roswest wrote: > > > > > > Alan, > > > > > > Hi, I am an engineer at Cisco Systems, and this summer we tasked some > > > interns with performing USB fuzzing. One of the interns, Jake Lamberson, > > > was able to cause a kernel panic when emulating an HID keyboard because > > > the OHCI driver fails to reserve bandwidth for the device. Please see > > > the attachment for details. > > > > > > Thank you, > > > Rosie Hall > > > > > > > > Headline: Linux Kernel Panic Over USB with HID Keyboard wMaxPacketSize > > > Platforms: Ubuntu > > > Versions: Linux Kernel 4.4.0-22-generic > > > CVSS Score: 4.7 > > > CVSS Vector: AV:L/AC:M/Au:N/C:N/I:N/A:C > > > Filed Defects: > > > Related Defects: > > > CWE Tags: > > > Cycle: > > > Found by: Jake Lamberson > > > > > > > > > Linux Kernel panics when using an OHCI controller if a USB device reports being > > > a generic HID keyboard and reports a wMaxPacketSize of over 4095. The OHCI > > > controller driver fails to reserve bandwidth for the device, causing the > > > keyboard handler to fail when attaching to the HID. Later, when the device is > > > removed, the system crashes due to a null pointer dereference in a linked list > > > of endpoint descriptors. The crash can be re-created using a Facedancer and UMAP > > > software. Given an appropriately configured Facedancer and UMAP setup, the crash > > > can be re-created with: > > > sudo board=facedancer21 python3 umap.py -P /dev/serial_device_here -f 03:00:00:E:0046 -l LOG I forgot to mention that the original NULL-pointer dereference bug should already be fixed by commit c66f59ee5050 ("USB: OHCI: Don't mark EDs as ED_OPER if scheduling fails"). However I don't know if this commit has been back-ported to the kernel being tested. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html