Re: usb/media/lmedm04: GPF in lme2510_int_read/usb_pipe_endpoint
From: Andrey Konovalov
Date: Tue Sep 26 2017 - 07:25:15 EST
On Mon, Sep 25, 2017 at 3:30 PM, Malcolm Priestley <tvboxspy@xxxxxxxxx> wrote:
>
>
> On 25/09/17 13:39, Andrey Konovalov wrote:
>>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
>>
>> usb 1-1: new full-speed USB device number 2 using dummy_hcd
>> gadgetfs: connected
>> gadgetfs: disconnected
>> gadgetfs: connected
>> usb 1-1: config 63 interface 0 altsetting 32 endpoint 0x7 has invalid
>> maxpacket 476, setting to 64
>> usb 1-1: config 63 interface 0 altsetting 32 has an invalid endpoint
>> with address 0x0, skipping
>> usb 1-1: config 63 interface 0 altsetting 32 has an invalid endpoint
>> with address 0xE7, skipping
>> usb 1-1: config 63 interface 0 altsetting 32 has an invalid endpoint
>> with address 0x7F, skipping
>> usb 1-1: config 63 interface 0 has no altsetting 0
>> usb 1-1: New USB device found, idVendor=3344, idProduct=22f0
>> usb 1-1: New USB device strings: Mfr=255, Product=0, SerialNumber=8
>> usb 1-1: Manufacturer: a
>> usb 1-1: SerialNumber: a
>> gadgetfs: configuration #63
>> gadgetfs: configuration #63
>> usb 1-1: selecting invalid altsetting 1
>> LME2510(C): Firmware Status: 4 (61)
>> usb 1-1: dvb_usb_v2: found a 'DM04_LME2510C_DVB-S RS2000' in warm state
>> usb 1-1: dvb_usb_v2: will use the device's hardware PID filter (table
>> count: 15)
>> dvbdev: DVB: registering new adapter (DM04_LME2510C_DVB-S RS2000)
>> usb 1-1: media controller created
>> dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
>> LME2510(C): FE Found M88RS2000
>> ts2020: probe of 0-0060 failed with error -11
>> usb 1-1: DVB: registering adapter 0 frontend 0 (DM04_LME2510C_DVB-S
>> RS2000 RS2000)...
>> dvbdev: dvb_create_media_entity: media entity 'DM04_LME2510C_DVB-S
>> RS2000 RS2000' registered.
>> LME2510(C): TUN Found RS2000 tuner
>> kasan: CONFIG_KASAN_INLINE enabled
>> kasan: GPF could be caused by NULL-ptr deref or user memory access
>> general protection fault: 0000 [#1] PREEMPT SMP KASAN
>
>
> Neither it it null or user memory and it is always present regardless of
> tuner state when _real_ hardware is connected.
Hi Malcolm,
An attacker may connect a malicious USB device having physical access
to a machine. In this case such device would only cause a kernel
crash, which might not be considered that critical, but other bugs
might be exploitable and allow to execute arbitrary code or leak data.
It would be nice to get this fixed to allow further testing of this
driver.
Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+unsubscribe@xxxxxxxxxxxxxxxxx
> For more options, visit https://groups.google.com/d/optout.