On Thu, Apr 11, 2024 at 05:37:13PM +0200, Oliver Neukum wrote: > On 11.04.24 16:09, Greg KH wrote: > > > Right now, we barely trust USB descriptors, if we wish to change this > > threat-model, that's great, but I think a lot of work is still to be > > done as you prove here. > > Indeed. As this is fiddly and holes are easy to overlook, > anything I've missed? We have had loads of fuzzing on the basic "parse the descriptors" logic, so that's looking much better than before. If you have actual test-cases for the series you have here, that would help as well (we need to integrate the syzbot usb descriptor fuzzing logic into kselftest one of these days) so that both you can test if the changes are needed (as Alan is pointing out they might not be), and that we can ensure that future changes do not break anything. But once a driver takes over for the device, all bets are off, we are just now possibly hope that the endpoint assignment logic in drivers are correct (so any help there is always appreciated), but after that, the size of the endpoints and other basic protocol handling is fully "trusted" and odds are no error checking is happening anywhere in almost any driver. So that means you still can not treat USB devices as "untrusted" sorry. Just like any other hardware device in Linux. So the threat-model is the same, we have to trust the hardware. thanks, greg k-h
