Re: lsusb segfault

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 12.07.2011 07:52 schrieb Carl-Daniel Hailfinger:
> Hi Greg,
>
> it seems this segfault bugfix was not merged in usbutils-003. Is there
> anything I can do to get this merged?
>   

I forgot to mention that this patch was also sent in a separate mail
with subject
[PATCH] Fix lsusb out-of-bounds write

Regards,
Carl-Daniel

> Regards,
> Carl-Daniel
>
> Am 25.05.2011 01:06 schrieb Carl-Daniel Hailfinger:
>   
>> Am 25.05.2011 00:18 schrieb Greg KH:
>>     
>>> On Wed, May 25, 2011 at 12:02:48AM +0200, Carl-Daniel Hailfinger wrote:
>>>   
>>>       
>>>> Hi,
>>>>
>>>> I was playing with the "authorized" attribute of USB devices in
>>>> sysfs. If I have at least one device with authorized=0, one or more
>>>> lsusb bugs are triggered.
>>>>
>>>> "lsusb" will print nothing (really nothing, not even the host
>>>> controllers)
>>>>
>>>> "lsusb -t" will segfault.
>>>> gdb output follows.
>>>> Core was generated by `lsusb -t'.
>>>> Program terminated with signal 11, Segmentation fault.
>>>> #0  read_sysfs_file_string (d_name=<value optimized out>,
>>>> file=<value optimized out>, buf=0x180fd10 "", len=-1) at lsusb-t.c:246
>>>> 246                             if (buf[r] == '\n')
>>>> (gdb) bt
>>>> #0  read_sysfs_file_string (d_name=<value optimized out>,
>>>> file=<value optimized out>, buf=0x180fd10 "", len=-1) at lsusb-t.c:246
>>>> #1  0x000000000040b134 in add_usb_device (d_name=0x180764b "2-3") at
>>>> lsusb-t.c:380
>>>> #2  0x000000000040b6d8 in inspect_bus_entry () at lsusb-t.c:462
>>>> #3  walk_usb_devices () at lsusb-t.c:471
>>>> #4  lsusb_t () at lsusb-t.c:701
>>>> #5  0x0000000000401c7d in treedump () at lsusb.c:3925
>>>> #6  0x000000000040a26c in main (argc=2, argv=0x7fff461f5128) at
>>>> lsusb.c:4052
>>>>
>>>> This is usbutils-002 on openSUSE 11.3, vanilla kernel 2.6.39, x86_64.
>>>>
>>>> Same problem exists with usbutils-0.84 on that machine.
>>>>
>>>> Any hints would be appreciated. I'd send lsusb output, but it is
>>>> empty for the case where the bug is triggered.
>>>>      
>>>>         
>>> Well, if the device can't be accessed, as you disabled it through the
>>> authorised=0 setting, lsusb shouldn't really be able to do much with it.
>>>    
>>>       
>> "lsusb" (without -v) should be able to list it with vendor:device ID
>> and bus location. That info is available from sysfs even for devices
>> with authorized=0. To test that, I just wrote a shell script which
>> provides the same output as lsusb, and it works fine regardless of the
>> authorized=[01] status of any device.
>>
>>
>>
>>     
>>> But it shouldn't crash.  I'll look at that next week when I get a
>>> chance, thanks for the bug report.
>>>    
>>>       
>> Found the crasher bug. Patch follows (whitespace-damaged, I can resend
>> once I have access to a proper mailer again).
>>
>>
>> If read_sysfs_file_string() encounters a zero-length file, it will
>> write '\0' at index -1 of the provided buffer. Handle zero-length
>> files gracefully by falling through to the error handler which does
>> the right thing (tm).
>>
>> Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@xxxxxxx>
>>
>> diff --git a/lsusb-t.c b/lsusb-t.c
>> index 8bcdbf1..5438704 100644
>> --- a/lsusb-t.c
>> +++ b/lsusb-t.c
>> @@ -235,7 +235,7 @@ static void read_sysfs_file_string(const char
>> *d_name, const char *file, char *b
>>          goto error;
>>      r = read(fd, buf, len);
>>      close(fd);
>> -    if (r >= 0&& r < len) {
>> +    if (r > 0&& r < len) {
>>          buf[r] = '\0';
>>          r--;
>>          while (buf[r] == '\n') {
>>
>>
>>     
>
>   


-- 
http://www.hailfinger.org/

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux