> > On 2 Aug 2016, at 19:19, Binyamin Sharet (bsharet) <[email protected]> wrote: > > Hi All, > > I have used Umap2 to scan OpenBSD 5.9 on i386 for supported USB devices, > and during this scan I have found 4 issues with the USB stack. > Umap2 can be downloaded from github [1]. > > The scanning requires some hardware - facedancer/beaglebone board, > and consists of emulating USB devices with single configuration, > single interface and multiple (5 IN, 5 OUT) endpoints on this interface. > Each time the VID (vendor ID) and PID (product ID) of the emulated USB > device are changed to match one of 155 known USB VID/PID that are > currently in a DB in Umap2. It aims on triggering the specific driver > for that VID/PID combination in order to detect support for it in the OS. > > I would refer to the issues by their VID/PID tuple from now. > > The first two issues - 13d3_3346 and 0cf3_9170 (handling devices with > VID/PID 0x13d3/0x3346 and 0x0cf3/0x9170) cause a kernel panic due to > kernel diagnostic assertion in the usbtask (file dev/usb/ehci.c, > line 1654). > > The third issue - 50c2_4013 - is a page fault, caused when trying to > read from invalid address in ehci_check_intr (movzbl 0x3(%eax), %eax). > > The fourth issue - 04bb_0904 - does not cause a crash, but it seems to > cause the USB stack to hang, and so it does not communicate with any > device that is inserted after this one, even if it was removed. > I was not able to find any more information about this one. > > All issues were reproduced on my machine multiple times. > > In the next 4 emails I will send the details regarding each of the > issues, as this is my first encounter with OpenBSD, I am not very > familiar with debugging and analyzing the system, and I'll surely > miss some required information. > If so, please let me know what's missing and I will try my best to > provide it. > Most of the information is based on pictures, as I couldn't copy > the data from the computer in any other way. If there is - please > let me know. > > Regards, > Binyamin Sharet > Cisco, STARE-C > > [1]: https://github.com/nccgroup/umap2 >
Some information that was missed before: The Umap2 command line detailed in each of the bugs was issued on a BeagleBone black running linux, which is able to emulate a USB device using the gadgetfs driver. While the device descriptor is pretty standard, each time containing different VID/PID, the configuration descriptor is rather long and unconventional, and contain 10 endpoint descriptors within it. Below are the descriptors sent to the host during the scan. They are always the same (for all 4 issues) except for VID/PID. in the device descriptor, XXXX is a placeholder for VID (little endian) and YYYY is a placeholder for PID. Device descriptor: 12010200ff010140XXXXYYYY010001020301 1st Configuration descriptor: 09025800010104c032 2nd Configuration descriptor (3 next lines are a single descriptor): 09025800010104c032090400000aff0101000705810340000107050103400001070582 0200020107050202000201070583014000010705030140000107058402000201070504 020002010705850110000107050502000201 Binyamin Sharet Cisco, STARE-C
