Re: NULL pointer dereference when writing fuzzed data to /dev/uhid
From: Roderick Colenbrander
Date: Fri Jan 04 2019 - 16:35:18 EST
Thanks, it seems the tests created a Buzz controller. It is
sony_led_init (called from sony_input_configured), which calls
hid_validate_values. It is hid_validate_values, which is unhappy due
to obviously corrupted reports.
I'm not too familiar with hid_validate_values, but it seems to access
a bunch of data structures on the HID device. The code probably makes
some assumptions. Fixing this issue requires some more sanity
checking, if it is worth it.
Thanks,
Roderick
On Fri, Jan 4, 2019 at 9:04 AM Anatoly Trosinenko
<anatoly.trosinenko@xxxxxxxxx> wrote:
>
> > Would you be able to share the sony.bin file?
> Sent it in this message.
>
> > Did you inject a particular device?
> If you are asking me, then no, I blindly send fuzzed data with a
> simple (but quite large and not very meaningful) header. That time it
> just turned out to be Sony-like descriptor :)
>
> Best regards
> Anatoly
>
> ÐÑ, 4 ÑÐÐ. 2019 Ð. Ð 19:38, Roderick Colenbrander <thunderbird2k@xxxxxxxxx>:
> >
> > > > For sony.bin:
> > > >
> > > > root@kvm-xfstests:~# cat /vtmp/sony.bin > /dev/uhid
> > > > [ 16.891931] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.892432] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.892894] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.893362] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.893844] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.895389] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.898165] sony 0003:054C:1000.0001: ignoring exceeding usage max
> > > > [ 16.901190] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.903797] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.906401] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.908957] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.911449] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.913936] sony 0003:054C:1000.0001: unknown main item tag 0x1
> > > > [ 16.916551] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.918454] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.919743] sony 0003:054C:1000.0001: unknown main item tag 0x4
> > > > [ 16.920834] sony 0003:054C:1000.0001: unknown main item tag 0xe
> > > > [ 16.921904] sony 0003:054C:1000.0001: unknown main item tag 0xe
> > > > [ 16.923006] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.924082] sony 0003:054C:1000.0001: unknown main item tag 0x2
> > > > [ 16.925195] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.926289] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.927400] sony 0003:054C:1000.0001: unknown main item tag 0x0
> > > > [ 16.928546] BUG: unable to handle kernel NULL pointer dereference
> > > > at 0000000000000028
> > > > [ 16.929951] #PF error: [normal kernel read fault]
> > > > [ 16.930884] PGD 800000007a52b067 P4D 800000007a52b067 PUD 0
> > > > [ 16.931836] Oops: 0000 [#1] SMP PTI
> > > > [ 16.932437] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted
> > > > 4.20.0-xfstests-10979-g96d4f267e40 #1
> > > > [ 16.933752] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> > > > BIOS 1.11.1-1ubuntu1 04/01/2014
> > > > [ 16.935372] Workqueue: events uhid_device_add_worker
> > > > [ 16.936321] RIP: 0010:hid_validate_values+0x48/0x110
> > >
> > > In a sense, it's good to have a fault there because this was added to
> > > make sure we do not blindly accept any data. The fact that it doesn't
> > > fail gracefully is a sign that there is something else.
> > > Maybe Roderick could have a look?
> > >
> > > Cheers,
> > > Benjamin
> > >
> >
> > Sure I can have a look. Would you be able to share the sony.bin file?
> > Did you inject a particular device? We do a lot of remapping and
> > processing in hid-sony at startup. It is probably related to that.
> >
> > Thanks,
> > Roderick