On Mon, May 17, 2021 at 12:00:19PM +0200, Oliver Neukum wrote: > Am Montag, den 17.05.2021, 01:01 +0000 schrieb Hayes Wang: > > Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > > > Sent: Friday, May 14, 2021 11:33 PM > > > > So if a peculiar emulated device created by syzbot is capable of > > > crashing the driver, then somewhere there is a bug which needs to > > > be > > > fixed. It's true that fixing all these bugs might not protect > > > against a > > > malicious device which deliberately behaves in an apparently > > > reasonable > > > manner. But it does reduce the attack surface. > > > > Thanks for your response. > > I will add some checks. > > Hi, > > the problem in this particular case is in > static bool rtl_vendor_mode(struct usb_interface *intf) > which accepts any config number. It needs to bail out > if you find config #0 to be what the descriptors say, > treating that as an unrecoverable error. No, the problem is that the routine calls WARN_ON_ONCE when it doesn't find an appropriate configuration. WARN_ON_ONCE means there is a bug or problem in the kernel. That's not the issue here; the issue is that the device doesn't have the expected descriptors. The line should be dev_warn(), not WARN_ON_ONCE. Alan Stern
