[PATCH 0/7] Input: fix NULL-derefs at probe
This series fixes a number of NULL-pointer dereferences due to missing endpoint sanity checks that can be triggered by a malicious USB device. Johan Johan Hovold (7): Input: iforce - fix NULL-deref at probe Input: cm109 - fix NULL-deref at probe Input: ims-pcu - fix NULL-deref at probe Input: yealink - fix NULL-deref at probe Input: hanwang - fix NULL-deref at probe Input: kbtab - fix NULL-deref at probe Input: sur40 - fix NULL-deref at probe drivers/input/joystick/iforce/iforce-usb.c | 3 +++ drivers/input/misc/cm109.c | 4 drivers/input/misc/ims-pcu.c | 4 drivers/input/misc/yealink.c | 4 drivers/input/tablet/hanwang.c | 3 +++ drivers/input/tablet/kbtab.c | 3 +++ drivers/input/touchscreen/sur40.c | 3 +++ 7 files changed, 24 insertions(+) -- 2.12.0 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/7] Input: fix NULL-derefs at probe
Am Montag, den 13.03.2017, 13:35 +0100 schrieb Johan Hovold: > This series fixes a number of NULL-pointer dereferences due to > missing > endpoint sanity checks that can be triggered by a malicious USB > device. > At the risk of repeating myself, doesn't the sheer number of fixes demonstrate the need for a more centralized check? Regards Oliver -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/7] Input: fix NULL-derefs at probe
On Mon, Mar 13, 2017 at 04:15:18PM +0100, Oliver Neukum wrote: > Am Montag, den 13.03.2017, 13:35 +0100 schrieb Johan Hovold: > > This series fixes a number of NULL-pointer dereferences due to > > missing > > endpoint sanity checks that can be triggered by a malicious USB > > device. > > At the risk of repeating myself, doesn't the sheer number of fixes > demonstrate the need for a more centralized check? No, I don't think that follows. These are plain bugs that needs to be fixed (cf. not checking for allocation failures or whatever) and backported to the stable trees. I think I may have surveyed just about every USB driver this last week, and there is no single pattern for how endpoints are verified and retrieved that could easily be refactored into USB core. Now there are certain patterns that could benefit from a few helpers, and some obvious bugs could then be caught by declaring those helpers as __must_check. But specifically, you'd still be checking the return value from the helpers. Then verifying the endpoint counts before calling driver probe, typically only saves a bit of time while probing *malicious* devices (and the occasional odd interface which cannot be matched on other attributes). That being said, we could still add a centralised sanity check for a large class of drivers (e.g. that do not use altsettings and only need minimum constraints) but it's not going to obviate the need for careful driver implementations. I'll be posting some more patches related to this shortly. Thanks, Johan -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/7] Input: fix NULL-derefs at probe
On Mon, Mar 13, 2017 at 04:45:52PM +0100, Johan Hovold wrote: > On Mon, Mar 13, 2017 at 04:15:18PM +0100, Oliver Neukum wrote: > > Am Montag, den 13.03.2017, 13:35 +0100 schrieb Johan Hovold: > > > This series fixes a number of NULL-pointer dereferences due to > > > missing > > > endpoint sanity checks that can be triggered by a malicious USB > > > device. > > > > At the risk of repeating myself, doesn't the sheer number of fixes > > demonstrate the need for a more centralized check? > > No, I don't think that follows. These are plain bugs that needs to be > fixed (cf. not checking for allocation failures or whatever) and > backported to the stable trees. > > I think I may have surveyed just about every USB driver this last week, > and there is no single pattern for how endpoints are verified and > retrieved that could easily be refactored into USB core. > > Now there are certain patterns that could benefit from a few helpers, > and some obvious bugs could then be caught by declaring those helpers as > __must_check. But specifically, you'd still be checking the return > value from the helpers. > > Then verifying the endpoint counts before calling driver probe, > typically only saves a bit of time while probing *malicious* devices > (and the occasional odd interface which cannot be matched on other > attributes). > > That being said, we could still add a centralised sanity check for a > large class of drivers (e.g. that do not use altsettings and only need > minimum constraints) but it's not going to obviate the need for careful > driver implementations. > > I'll be posting some more patches related to this shortly. There were some discussions about making and that would allow drivers declare endpoints they want and have USB core ether fill them or not even try to bind, but nothing concrete. Anyway, I do not think we should be blocking this patch series on it; if we come up with something clever we can always switch over. Applied the lot. Thanks. -- Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/7] Input: fix NULL-derefs at probe
On Thu, Mar 16, 2017 at 03:37:28PM -0700, Dmitry Torokhov wrote: > On Mon, Mar 13, 2017 at 04:45:52PM +0100, Johan Hovold wrote: > > On Mon, Mar 13, 2017 at 04:15:18PM +0100, Oliver Neukum wrote: > > > Am Montag, den 13.03.2017, 13:35 +0100 schrieb Johan Hovold: > > > > This series fixes a number of NULL-pointer dereferences due to > > > > missing endpoint sanity checks that can be triggered by a > > > > malicious USB device. > Applied the lot. I noticed you dropped the Fixes tag from the patches that fix bugs which predate git. While this is probably not much of an issue in this case, I think it's generally a bad idea since we're loosing information this way, and this specifically makes it harder for the stable maintainers to figure out which tree to backport a fix to. Thanks, Johan -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/7] Input: fix NULL-derefs at probe
On Fri, Mar 17, 2017 at 11:53:37AM +0100, Johan Hovold wrote: > On Thu, Mar 16, 2017 at 03:37:28PM -0700, Dmitry Torokhov wrote: > > On Mon, Mar 13, 2017 at 04:45:52PM +0100, Johan Hovold wrote: > > > On Mon, Mar 13, 2017 at 04:15:18PM +0100, Oliver Neukum wrote: > > > > Am Montag, den 13.03.2017, 13:35 +0100 schrieb Johan Hovold: > > > > > This series fixes a number of NULL-pointer dereferences due to > > > > > missing endpoint sanity checks that can be triggered by a > > > > > malicious USB device. > > > Applied the lot. > > I noticed you dropped the Fixes tag from the patches that fix bugs which > predate git. While this is probably not much of an issue in this case, I > think it's generally a bad idea since we're loosing information this > way, and this specifically makes it harder for the stable maintainers to > figure out which tree to backport a fix to. As far as I know the rule is: if no special markings then stable patch should be applied as far as it can go. There is no reason to say specify 2.6.12 commit, as in fact the offending change is likely to be even earlier, so the annotation would be effectively wrong. Thanks. -- Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/7] Input: fix NULL-derefs at probe
On Fri, Mar 17, 2017 at 02:03:15PM -0700, Dmitry Torokhov wrote:
> On Fri, Mar 17, 2017 at 11:53:37AM +0100, Johan Hovold wrote:
> > On Thu, Mar 16, 2017 at 03:37:28PM -0700, Dmitry Torokhov wrote:
> > > On Mon, Mar 13, 2017 at 04:45:52PM +0100, Johan Hovold wrote:
> > > > On Mon, Mar 13, 2017 at 04:15:18PM +0100, Oliver Neukum wrote:
> > > > > Am Montag, den 13.03.2017, 13:35 +0100 schrieb Johan Hovold:
> > > > > > This series fixes a number of NULL-pointer dereferences due to
> > > > > > missing endpoint sanity checks that can be triggered by a
> > > > > > malicious USB device.
> >
> > > Applied the lot.
> >
> > I noticed you dropped the Fixes tag from the patches that fix bugs which
> > predate git. While this is probably not much of an issue in this case, I
> > think it's generally a bad idea since we're loosing information this
> > way, and this specifically makes it harder for the stable maintainers to
> > figure out which tree to backport a fix to.
>
> As far as I know the rule is: if no special markings then stable patch
> should be applied as far as it can go.
That's true for the stable tag itself, yes.
> There is no reason to say specify 2.6.12 commit, as in fact the
> offending change is likely to be even earlier, so the annotation would
> be effectively wrong.
It is still the first git commit which has the bug, and everyone
(dealing with code forensics) knows that 1da177e4c3f4
("Linux-2.6.12-rc2") is special.
Adding a Fixes-tag pointing to that initial commit, makes it clear that
bug has indeed been tracked as far back as reasonable. Omission of a
Fixes-tag could on the other hand be due to the submitter not bothering
to track the offending commit, thereby leaving it up to a stable
maintainer to do so (if only just be sure).
Thanks,
Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
