Re: general protection fault in flexcop_usb_probe

Andrey Konovalov <andreyknvl@xxxxxxxxxx> · Mon, 29 Jul 2019 18:54:53 +0200

On Mon, Jul 29, 2019 at 5:05 PM syzbot
<syzbot+d93dff37e6a89431c158@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger
> crash:
>
> Reported-and-tested-by:
> syzbot+d93dff37e6a89431c158@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> Tested on:
>
> commit:         6a3599ce usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git
> usb-fuzzer-usb-testing-2019.07.11
> kernel config:  https://syzkaller.appspot.com/x/.config?x=662450485a75f217
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=1036e80c600000
>
> Note: testing is done by a robot and is best-effort only.

Hi Oliver,

Thanks a lot for fixing all of these USB bugs!

The usb-fuzzer branch is working again, so it should be possible to
use it for testing. But, I've actually just realized, that the proper
way to test fixes for USB bugs is to use the exact commit hash that is
provided in each bug report (the kernel interface for emulating USB
device is not stable yet, and has significantly changed at least
once). I've updated syzbot documentation to reflect this.

Let's try to retest this one with the right kernel commit id:

#syz test: https://github.com/google/kasan.git 9a33b369

Thanks!




>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000488c6d058ed337b2%40google.com.

diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c
index 1826ff825c2e..1a801dc286f8 100644
--- a/drivers/media/usb/b2c2/flexcop-usb.c
+++ b/drivers/media/usb/b2c2/flexcop-usb.c
@@ -538,6 +538,9 @@ static int flexcop_usb_probe(struct usb_interface *intf,
 	struct flexcop_device *fc = NULL;
 	int ret;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) {
 		err("out of memory\n");
 		return -ENOMEM;




