Re: WARNING in hso_free_net_device

On 9/5/2019 7:24 AM, Andrey Konovalov wrote: > On Thu, Sep 5, 2019 at 4:20 AM Hui Peng wrote: >> >> Can you guys have a look at the attached patch? > > Let's try it: > > #syz test: https://github.com/google/kasan.git eea39f24 > > FYI: there are two mor

Re: WARNING in hso_free_net_device

Can you guys have  a look at the attached patch? On 9/4/19 6:41 PM, Stephen Hemminger wrote: > On Wed, 4 Sep 2019 16:27:50 -0400 > Hui Peng wrote: > >> Hi, all: >> >> I looked at the bug a little. >> >> The issue is that in the error handling c

Re: WARNING in hso_free_net_device

Hi, all: I looked at the bug a little. The issue is that in the error handling code, hso_free_net_device unregisters the net_device (hso_net->net)  by calling unregister_netdev. In the error handling code path, hso_net->net has not been registered yet. I think there are two ways to solve the

Re: [PATCH 2/2] Fix a stack buffer overflow bug in check_input_term

On 9/1/19 9:00 AM, Salvatore Bonaccorso wrote: > Hi Hui, > > On Fri, Aug 30, 2019 at 05:47:29PM -0400, Hui Peng wrote: >> `check_input_term` recursively calls itself with input from >> device side (e.g., uac_input_terminal_descriptor.bCSourceID) >> as argument

Re: [PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit

On 9/1/19 8:58 AM, Salvatore Bonaccorso wrote: > On Fri, Aug 30, 2019 at 05:46:49PM -0400, Hui Peng wrote: >> The `uac_mixer_unit_descriptor` shown as below is read from the >> device side. In `parse_audio_mixer_unit`, `baSourceID` field is >> accessed from index 0 to `bNrInP

Re: [PATCH] Fix a double free bug in rsi_91x_deinit

On 8/31/19 2:18 PM, Guenter Roeck wrote: > On Mon, Aug 19, 2019 at 06:02:29PM -0400, Hui Peng wrote: >> `dev` (struct rsi_91x_usbdev *) field of adapter >> (struct rsi_91x_usbdev *) is allocated and initialized in >> `rsi_init_usb_interface`. If any error is detected in inf

[PATCH 1/2] Fix an OOB bug in parse_audio_mixer_unit

[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. CVE: CVE-2018-15117 Reported-by: Hui Peng Reported-by: Mathias Payer Signed-off-by: Hui Peng --- sound/usb/mixer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c

[PATCH 2/2] Fix a stack buffer overflow bug in check_input_term

stack overflow. This patch fixes the bug by adding a bitmap to `struct mixer_build` to keep track of the checked ids and stop the execution if some id has been checked (similar to how parse_audio_unit handles unitid argument). CVE: CVE-2018-15118 Reported-by: Hui Peng Reported-by: Mathias Payer

Re: [PATCH] Fix an OOB access bug in technisat_usb2_get_ir

+0x816/0x14d0 kernel/workqueue.c:2153  worker_thread+0x9b/0xce0 kernel/workqueue.c:2296  kthread+0x33d/0x400 kernel/kthread.c:246  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 On 8/20/19 2:19 PM, Hui Peng wrote: > In the while loop of technisat_usb2_get_ir, it scans through > a fix

[PATCH] Fix an OOB access bug in technisat_usb2_get_ir

. Reported-by: Hui Peng Reported-by: Mathias Payer Signed-off-by: Hui Peng --- drivers/media/usb/dvb-usb/technisat-usb2.c | 5 + 1 file changed, 5 insertions(+) diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c index c659e18b358b

[PATCH] Fix a double free bug in rsi_91x_deinit

path, the `dev` field is not (and thus needs to be) freed. This bug was found in v4.19, but is also present in the latest version of kernel. Reported-by: Hui Peng Reported-by: Mathias Payer Signed-off-by: Hui Peng --- drivers/net/wireless/rsi/rsi_91x_usb.c | 1 - 1 file changed, 1 deletion

[PATCH] Fix an OOB bug in uac_mixer_unit_bmControls

-by: Hui Peng Reported-by: Mathias Payer Signed-off-by: Hui Peng --- sound/usb/mixer.c | 25 ++--- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index b5927c3d5bc0..00e6274a63c3 100644 --- a/sound/usb/mixer.c +++ b/sound/usb

[PATCH] Fix an OOB bug in uac_mixer_unit_bmControls

-by: Hui Peng Reported-by: Mathias Payer Signed-off-by: Hui Peng --- sound/usb/mixer.c | 25 ++--- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index b5927c3d5bc0..00e6274a63c3 100644 --- a/sound/usb/mixer.c +++ b/sound/usb

Re: [PATCH] Fix a stack buffer overflow bug check_input_term

feedback. On 8/15/19 12:35 AM, Hui Peng wrote: > `check_input_term` recursively calls itself with input > from device side (e.g., uac_input_terminal_descriptor.bCSourceID) > as argument (id). In `check_input_term`, if `check_input_term` > is called with the same `id` argument a

[PATCH] Fix a stack buffer overflow bug check_input_term

stack overflow. This patch fixes the bug by adding a bitmap to `struct mixer_build` to keep track of the checked ids by `check_input_term` and stop the execution if some id has been checked (similar to how parse_audio_unit handles unitid argument). Reported-by: Hui Peng Reported-by: Mathias Payer

[PATCH] Fix an OOB bug in parse_audio_mixer_unit

[]; } ``` This patch fixes the bug by add a sanity check on the length of the descriptor. Signed-off-by: Hui Peng Reported-by: Hui Peng Reported-by: Mathias Payer --- sound/usb/mixer.c | 9 + 1 file changed, 9 insertions(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index

[PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe

ot report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`. This patch fixes the bug by preventing potential NULL-ptr-deref. Signed-off-by: Hui Peng Reported-by: Hui Peng Reported-by: Mathias Payer --- drivers/net/wireless/at