>
> On 2 Aug 2016, at 19:19, Binyamin Sharet (bsharet) wrote:
>
> Hi All,
>
> I have used Umap2 to scan OpenBSD 5.9 on i386 for supported USB devices,
> and during this scan I have found 4 issues with the USB stack.
> Umap2 can be downloaded from github [1].
>
> The scanning requires some hardware - facedancer/beaglebone board,
> and consists of emulating USB devices with single configuration,
> single interface and multiple (5 IN, 5 OUT) endpoints on this interface.
> Each time the VID (vendor ID) and PID (product ID) of the emulated USB
> device are changed to match one of 155 known USB VID/PID that are
> currently in a DB in Umap2. It aims on triggering the specific driver
> for that VID/PID combination in order to detect support for it in the OS.
>
> I would refer to the issues by their VID/PID tuple from now.
>
> The first two issues - 13d3_3346 and 0cf3_9170 (handling devices with
> VID/PID 0x13d3/0x3346 and 0x0cf3/0x9170) cause a kernel panic due to
> kernel diagnostic assertion in the usbtask (file dev/usb/ehci.c,
> line 1654).
>
> The third issue - 50c2_4013 - is a page fault, caused when trying to
> read from invalid address in ehci_check_intr (movzbl 0x3(%eax), %eax).
>
> The fourth issue - 04bb_0904 - does not cause a crash, but it seems to
> cause the USB stack to hang, and so it does not communicate with any
> device that is inserted after this one, even if it was removed.
> I was not able to find any more information about this one.
>
> All issues were reproduced on my machine multiple times.
>
> In the next 4 emails I will send the details regarding each of the
> issues, as this is my first encounter with OpenBSD, I am not very
> familiar with debugging and analyzing the system, and I'll surely
> miss some required information.
> If so, please let me know what's missing and I will try my best to
> provide it.
> Most of the information is based on pictures, as I couldn't copy
> the data from the computer in any other way. If there is - please
> let me know.
>
> Regards,
> Binyamin Sharet
> Cisco, STARE-C
>
> [1]: https://github.com/nccgroup/umap2
>
Some information that was missed before:
The Umap2 command line detailed in each of the bugs was issued
on a BeagleBone black running linux, which is able to emulate a USB
device using the gadgetfs driver.
While the device descriptor is pretty standard, each time containing different
VID/PID, the configuration descriptor is rather long and unconventional,
and contain 10 endpoint descriptors within it.
Below are the descriptors sent to the host during the scan.
They are always the same (for all 4 issues) except for VID/PID.
in the device descriptor, is a placeholder for VID (little endian)
and is a placeholder for PID.
Device descriptor: 12010200ff010140010001020301
1st Configuration descriptor: 09025800010104c032
2nd Configuration descriptor (3 next lines are a single descriptor):
09025800010104c03209040aff01010007058103410705010341070582
02000201070502020002010705830141070503014107058402000201070504
02000201070585011107050502000201
Binyamin Sharet
Cisco, STARE-C
