subject:"Re\: \[PATCH\] net\: usb\: asix\: fill null\-ptr\-deref in asix

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

2017-11-06 Thread Oliver Neukum

Am Montag, den 06.11.2017, 17:05 +0100 schrieb Andrey Konovalov:
> On Mon, Nov 6, 2017 at 4:20 PM, Oliver Neukum  wrote:
> > 

> I do have a way to reproduce this.
> 
> As far as I understand, for this particular device ax88172_bind() is
> called, which doesn't assign anything to dev->driver_priv, so that's
> why it is NULL in suspend() and resume().

Thanks and ouch. That means it never worked for those devices.
That makes this a rather serious bug and your fix is right.

Regards
Oliver

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

2017-11-06 Thread Andrey Konovalov

On Mon, Nov 6, 2017 at 4:20 PM, Oliver Neukum  wrote:
> Am Montag, den 06.11.2017, 13:30 +0100 schrieb Andrey Konovalov:
>> On Mon, Nov 6, 2017 at 10:49 AM, Oliver Neukum  wrote:
>> >
>> >
>> > 2. Will a device work after that? The appropriate fix may be to wait
>> > until the device is properly initialized.
>>
>> This shouldn't affect real devices as far as I understand. The crash
>> can be caused by a crafted malicious device.
>
> Hi!
>
> Hm. That seems strange as driver_priv is kmalloced. Do you
> still have a descriptor that causes this?
> Shouldn't we rather reject such a broken device?

I do have a way to reproduce this.

As far as I understand, for this particular device ax88172_bind() is
called, which doesn't assign anything to dev->driver_priv, so that's
why it is NULL in suspend() and resume().

>
> Regards
> Oliver
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

2017-11-06 Thread Oliver Neukum

Am Montag, den 06.11.2017, 13:30 +0100 schrieb Andrey Konovalov:
> On Mon, Nov 6, 2017 at 10:49 AM, Oliver Neukum  wrote:
> > 
> > 
> > 2. Will a device work after that? The appropriate fix may be to wait
> > until the device is properly initialized.
> 
> This shouldn't affect real devices as far as I understand. The crash
> can be caused by a crafted malicious device.

Hi!

Hm. That seems strange as driver_priv is kmalloced. Do you
still have a descriptor that causes this?
Shouldn't we rather reject such a broken device?

Regards
Oliver

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

2017-11-06 Thread Andrey Konovalov

On Mon, Nov 6, 2017 at 10:49 AM, Oliver Neukum  wrote:
> Am Donnerstag, den 02.11.2017, 21:26 +0100 schrieb Andrey Konovalov:
>> When asix_suspend() is called dev->driver_priv might not have been
>> assigned a value, so we need to check that it's not NULL.
>>
>> Found by syzkaller.
>
> Hi,

Hi Oliver,

>
> 1. if that happens on suspend, it will also happen on resume

Indeed, got crashes in asix_resume() tonight as well. Mailed v2.

> 2. Will a device work after that? The appropriate fix may be to wait
> until the device is properly initialized.

This shouldn't affect real devices as far as I understand. The crash
can be caused by a crafted malicious device.

Go ahead if you see a better way to fix this, my patch is more of a
hot fix trying to prevent the crashes.

Thanks!

>
> Regards
> Oliver
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

2017-11-06 Thread Oliver Neukum

Am Donnerstag, den 02.11.2017, 21:26 +0100 schrieb Andrey Konovalov:
> When asix_suspend() is called dev->driver_priv might not have been
> assigned a value, so we need to check that it's not NULL.
> 
> Found by syzkaller.

Hi,

1. if that happens on suspend, it will also happen on resume
2. Will a device work after that? The appropriate fix may be to wait
until the device is properly initialized.

Regards
Oliver

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

2017-11-04 Thread David Miller

From: Andrey Konovalov 
Date: Thu,  2 Nov 2017 21:26:59 +0100

> When asix_suspend() is called dev->driver_priv might not have been
> assigned a value, so we need to check that it's not NULL.
> 
> Found by syzkaller.
 ...
> Signed-off-by: Andrey Konovalov 

Applied, thank you.
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

6 matches

Site Navigation

Mail list logo

Footer information