linux/drivers/usb/misc
Alan Stern df05a9b05e USB: sisusbvga: Add endpoint checks
The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver:

------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95
RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003
R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline]
 sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379
 sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline]
 sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline]
 sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177
 sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869
...

The problem was caused by the fact that the driver does not check
whether the endpoints it uses are actually present and have the
appropriate types.  This can be fixed by adding a simple check of
the endpoints.

Link: https://syzkaller.appspot.com/bug?extid=23be03b56c5259385d79
Reported-and-tested-by: syzbot+23be03b56c5259385d79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/48ef98f7-51ae-4f63-b8d3-0ef2004bb60a@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-04-20 11:43:22 +02:00
..
sisusbvga USB: sisusbvga: Add endpoint checks 2023-04-20 11:43:22 +02:00
adutux.c usb: misc: adutux: use swap() 2021-08-05 12:31:34 +02:00
apple-mfi-fastcharge.c USB: apple-mfi-fastcharge: Fix use after free in probe 2020-12-04 16:48:07 +01:00
appledisplay.c usb: appledisplay: use module_usb_driver to simplify the code 2020-09-22 10:37:19 +02:00
brcmstb-usb-pinmap.c usb: misc: brcmstb-usb-pinmap: add IRQ check 2021-08-13 13:05:50 +02:00
chaoskey.c hwrng: core - treat default_quality as a maximum and default to 1024 2022-11-18 16:59:34 +08:00
cypress_cy7c63.c
cytherm.c
ehset.c usb: misc: ehset: Rework test mode entry 2021-12-17 17:02:04 +01:00
emi26.c
emi62.c
ezusb.c usb: misc: ezusb: update to use usb_control_msg_send() 2021-03-28 13:41:27 +02:00
idmouse.c usb: idmouse: fix an uninit-value in idmouse_open 2022-09-27 10:37:09 +02:00
iowarrior.c USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 2023-01-20 15:06:23 +01:00
isight_firmware.c
Kconfig usb: move config USB_USS720 to usb's misc Kconfig 2023-03-29 10:34:08 +02:00
ldusb.c usb: ldusb: replace ternary operator with max_t() 2022-07-14 16:09:56 +02:00
legousbtower.c USB: make devnode() callback in usb_class_driver take a const * 2022-10-20 12:11:56 +02:00
lvstest.c usb: remove third argument of usb_maxpacket() 2022-04-23 10:33:53 +02:00
Makefile usb: ftdi-elan: Delete driver 2023-03-21 16:31:59 +01:00
onboard_usb_hub_pdevs.c usb: misc: onboard_hub: Fix 'missing prototype' warning 2022-07-14 16:09:32 +02:00
onboard_usb_hub.c usb: misc: onboard-hub: add support for Microchip USB2517 USB 2.0 hub 2023-03-09 14:54:46 +01:00
onboard_usb_hub.h usb: misc: onboard-hub: add support for Microchip USB2517 USB 2.0 hub 2023-03-09 14:54:46 +01:00
qcom_eud.c usb: misc: eud: Fix an error handling path in eud_probe() 2022-04-21 19:24:10 +02:00
trancevibrator.c USB: trancevibrator: fix control-request direction 2021-05-21 20:10:43 +02:00
usb251xb.c usb: misc: usb251xb: drop of_match_ptr for ID table 2023-03-16 12:15:23 +01:00
usb3503.c usb: misc: usb3503: support usb3803 and bypass mode 2023-03-16 12:18:03 +01:00
usb4604.c usb: usb4604: Convert to i2c's .probe_new() 2022-11-22 17:33:27 +01:00
usb_u132.h
usblcd.c USB: usblcd: Remove the superfluous break 2020-08-28 09:48:33 +02:00
usbsevseg.c USB: usbsevseg: convert sysfs snprintf to sysfs_emit 2022-07-27 14:48:14 +02:00
usbtest.c usb/misc: fix repeated words in comments 2022-07-27 14:33:57 +02:00
uss720.c usb: misc: uss720: fix uninitialized variable rlen 2022-09-07 16:23:48 +02:00
yurex.c USB: yurex: fix control-URB timeout handling 2020-12-28 15:47:06 +01:00