[lvc-project] [PATCH] Input: hanwang - require Interrupt IN endpoint
Fedor Pchelkin
pchelkin at ispras.ru
Wed Mar 19 14:24:26 MSK 2025
On Sun, 16. Mar 18:13, Vasiliy Kovalev wrote:
> Fix binding to compromised USB devices using non-Interrupt endpoint
> (e.g., Bulk), which can trigger a system crash with panic_on_warn
> enabled. Replace endpoint count check with usb_find_int_in_endpoint()
> to enforce Interrupt IN.
>
> Syzbot report:
> usb 1-1: BOGUS urb xfer, pipe 1 != type 3
> WARNING: CPU: 0 PID: 2827 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
> Modules linked in:
> CPU: 0 UID: 0 PID: 2827 Comm: acpid Not tainted 6.14.0-rc3-syzkaller-00071-gb331a3d8097f #0
>
> Call Trace:
> <TASK>
> hanwang_open+0xa8/0xf0 drivers/input/tablet/hanwang.c:284
> input_open_device+0x230/0x390 drivers/input/input.c:600
> evdev_open+0x52d/0x690 drivers/input/evdev.c:478
> chrdev_open+0x237/0x6a0 fs/char_dev.c:414
> do_dentry_open+0x6cb/0x1390 fs/open.c:956
> vfs_open+0x82/0x3f0 fs/open.c:1086
> do_open fs/namei.c:3830 [inline]
> path_openat+0x1e88/0x2d80 fs/namei.c:3989
> do_filp_open+0x20c/0x470 fs/namei.c:4016
> do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
> __x64_sys_openat+0x175/0x210 fs/open.c:1454
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Found by Linux Verification Center (linuxtesting.org) with
> "USB Gadget Tests" [1]:
>
> $ make input-tab-hanwang
> $ sudo ./src/input-tab-hanwang/input-tab-hanwang --invalid_ep_int_type
>
> Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets")
> Cc: stable at vger.kernel.org
> [1] Link: https://github.com/kovalev0/usb-gadget-tests
> Reported-by: syzbot+9fe8f6caeb5661802ca2 at syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=9fe8f6caeb5661802ca2
> Signed-off-by: Vasiliy Kovalev <kovalev at altlinux.org>
> ---
Планируете ли открывать задачу в гитлаб на это срабатывание?
> drivers/input/tablet/hanwang.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/input/tablet/hanwang.c b/drivers/input/tablet/hanwang.c
> index 42c1e5eaddd50..7315bee4f3fe7 100644
> --- a/drivers/input/tablet/hanwang.c
> +++ b/drivers/input/tablet/hanwang.c
> @@ -319,8 +319,11 @@ static int hanwang_probe(struct usb_interface *intf, const struct usb_device_id
> int error;
> int i;
>
> - if (intf->cur_altsetting->desc.bNumEndpoints < 1)
> + if (usb_find_int_in_endpoint(intf->cur_altsetting,
> + &endpoint) != 0) {
> + dev_err(&intf->dev, "int in endpoint not found\n");
> return -ENODEV;
> + }
>
> hanwang = kzalloc(sizeof(*hanwang), GFP_KERNEL);
> input_dev = input_allocate_device();
> @@ -387,7 +390,6 @@ static int hanwang_probe(struct usb_interface *intf, const struct usb_device_id
> input_set_abs_params(input_dev, ABS_PRESSURE,
> 0, hanwang->features->max_pressure, 0, 0);
>
> - endpoint = &intf->cur_altsetting->endpoint[0].desc;
> usb_fill_int_urb(hanwang->irq, dev,
> usb_rcvintpipe(dev, endpoint->bEndpointAddress),
> hanwang->data, hanwang->features->pkg_len,
> --
> 2.42.2
More information about the lvc-project
mailing list