Am 12.07.2011 07:52 schrieb Carl-Daniel Hailfinger:
> Hi Greg,
>
> it seems this segfault bugfix was not merged in usbutils-003. Is there
> anything I can do to get this merged?
>
I forgot to mention that this patch was also sent in a separate mail
with subject
[PATCH] Fix lsusb out-of-bounds write
Regards,
Carl-Daniel
> Regards,
> Carl-Daniel
>
> Am 25.05.2011 01:06 schrieb Carl-Daniel Hailfinger:
>
>> Am 25.05.2011 00:18 schrieb Greg KH:
>>
>>> On Wed, May 25, 2011 at 12:02:48AM +0200, Carl-Daniel Hailfinger wrote:
>>>
>>>
>>>> Hi,
>>>>
>>>> I was playing with the "authorized" attribute of USB devices in
>>>> sysfs. If I have at least one device with authorized=0, one or more
>>>> lsusb bugs are triggered.
>>>>
>>>> "lsusb" will print nothing (really nothing, not even the host
>>>> controllers)
>>>>
>>>> "lsusb -t" will segfault.
>>>> gdb output follows.
>>>> Core was generated by `lsusb -t'.
>>>> Program terminated with signal 11, Segmentation fault.
>>>> #0 read_sysfs_file_string (d_name=<value optimized out>,
>>>> file=<value optimized out>, buf=0x180fd10 "", len=-1) at lsusb-t.c:246
>>>> 246 if (buf[r] == '\n')
>>>> (gdb) bt
>>>> #0 read_sysfs_file_string (d_name=<value optimized out>,
>>>> file=<value optimized out>, buf=0x180fd10 "", len=-1) at lsusb-t.c:246
>>>> #1 0x000000000040b134 in add_usb_device (d_name=0x180764b "2-3") at
>>>> lsusb-t.c:380
>>>> #2 0x000000000040b6d8 in inspect_bus_entry () at lsusb-t.c:462
>>>> #3 walk_usb_devices () at lsusb-t.c:471
>>>> #4 lsusb_t () at lsusb-t.c:701
>>>> #5 0x0000000000401c7d in treedump () at lsusb.c:3925
>>>> #6 0x000000000040a26c in main (argc=2, argv=0x7fff461f5128) at
>>>> lsusb.c:4052
>>>>
>>>> This is usbutils-002 on openSUSE 11.3, vanilla kernel 2.6.39, x86_64.
>>>>
>>>> Same problem exists with usbutils-0.84 on that machine.
>>>>
>>>> Any hints would be appreciated. I'd send lsusb output, but it is
>>>> empty for the case where the bug is triggered.
>>>>
>>>>
>>> Well, if the device can't be accessed, as you disabled it through the
>>> authorised=0 setting, lsusb shouldn't really be able to do much with it.
>>>
>>>
>> "lsusb" (without -v) should be able to list it with vendor:device ID
>> and bus location. That info is available from sysfs even for devices
>> with authorized=0. To test that, I just wrote a shell script which
>> provides the same output as lsusb, and it works fine regardless of the
>> authorized=[01] status of any device.
>>
>>
>>
>>
>>> But it shouldn't crash. I'll look at that next week when I get a
>>> chance, thanks for the bug report.
>>>
>>>
>> Found the crasher bug. Patch follows (whitespace-damaged, I can resend
>> once I have access to a proper mailer again).
>>
>>
>> If read_sysfs_file_string() encounters a zero-length file, it will
>> write '\0' at index -1 of the provided buffer. Handle zero-length
>> files gracefully by falling through to the error handler which does
>> the right thing (tm).
>>
>> Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@xxxxxxx>
>>
>> diff --git a/lsusb-t.c b/lsusb-t.c
>> index 8bcdbf1..5438704 100644
>> --- a/lsusb-t.c
>> +++ b/lsusb-t.c
>> @@ -235,7 +235,7 @@ static void read_sysfs_file_string(const char
>> *d_name, const char *file, char *b
>> goto error;
>> r = read(fd, buf, len);
>> close(fd);
>> - if (r >= 0&& r < len) {
>> + if (r > 0&& r < len) {
>> buf[r] = '\0';
>> r--;
>> while (buf[r] == '\n') {
>>
>>
>>
>
>
--
http://www.hailfinger.org/
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
