Re: [media] hdpvr: Fix an error handling path in hdpvr_probe()

initializing a worker. >> hdpvr_register_videodev() is calling by hdpvr_probe at last. >> So No need to flash any work here. >> Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail. >> >> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com> >> Reported-by: Andrey K

Re: usb/media/em28xx: use-after-free in dvb_unregister_frontend

On Thu, Nov 23, 2017 at 8:25 AM, Matthias Schwarzott <z...@gentoo.org> wrote: > Am 21.11.2017 um 14:51 schrieb Andrey Konovalov: >> Hi! >> > Hi Andrey, > >> I've got the following report while fuzzing the kernel with syzkaller. >> >> On commit e1d1e

usb/media/em28xx: use-after-free in dvb_unregister_frontend

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit e1d1ea549b57790a3d8cf6300e6ef86118d692a3 (4.15-rc1). em28xx 1-1:9.0: Disconnecting tc90522 1-0015: Toshiba TC90522 attached. qm1d1c0042 2-0061: Sharp QM1D1C0042 attached. dvbdev: DVB: registering new adapter

Re: [PATCH] au0828: fix use-after-free at USB probing

On Fri, Nov 10, 2017 at 6:35 PM, Gustavo A. R. Silva <garsi...@embeddedor.com> wrote: > > Quoting Andrey Konovalov <andreyk...@google.com>: > >> On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva >> <garsi...@embeddedor.com> wrote: >>> >&g

Re: [PATCH] au0828: fix use-after-free at USB probing

On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva wrote: > Hi Andrey, > > Could you please try this patch? > > Thank you Hi Gustavo, With your patch I get a different crash. Not sure if it's another bug or the same one manifesting differently. au0828:

Re: [RFT] [media] em28xx: Fix use-after-free in v4l2_fh_init

40ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ====== > --- > This bug report by Andrey Konovalov "net/media/em28xx: use-after-free in > v4l2_fh_init" > > drivers/media/usb/em28xx/em28xx-video.c |

Re: usb/media/uvc: slab-out-of-bounds in uvc_probe

RA) { I see what you're trying to do though and I'd say a better patch would be to reset the UVC_TERM_INPUT flag or fail when this flag is set. But it's up to maintainers. Thanks! > > > On Monday, November 6, 2017 at 8:27:23 AM UTC-5, Andrey Konovalov wrote: >> >> Hi! >>

Re: usb/media/dtt200u: use-after-free in __dvb_frontend_free

On Tue, Nov 7, 2017 at 11:31 AM, Mauro Carvalho Chehab <mche...@s-opensource.com> wrote: > Em Mon, 23 Oct 2017 20:58:09 +0200 > Matthias Schwarzott <z...@gentoo.org> escreveu: > >> Am 23.10.2017 um 16:41 schrieb Andrey Konovalov: >> > Hi! >> > >

usb/media/uvc: slab-out-of-bounds in uvc_probe

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8). It seems that type == UVC_ITT_CAMERA | 0x8000, that's why the (type == UVC_ITT_CAMERA) check fails and (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) passes, so

usb/media/tm6000: use-after-free in tm6000_read_write_usb

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8). usb 1-1: USB disconnect, device number 11 tm6000: disconnecting tm6000 #0 xc2028 0-0061: destroying instance

usb/media/technisat: slab-out-of-bounds in technisat_usb2_rc_query

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8). It seems that there's no check of the received buffer length in technisat_usb2_get_ir(). ==

usb/media/dw2102: null-ptr-deref in dvb_usb_adapter_frontend_init/tt_s2_4600_frontend_attach

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+). The report is a little confusing, as the top stack frame is not actually present. As far as my debugging showed, the NULL pointer that's being executed

net/media/em28xx: use-after-free in v4l2_fh_init

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+). em28xx 1-1:0.0: analog set to bulk mode. em28xx 1-1:0.0: Registering V4L2 extension usb 1-1: USB disconnect, device number 39 em28xx 1-1:0.0: Disconnecting

Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini

On Fri, Nov 3, 2017 at 3:44 PM, Andrey Konovalov <andreyk...@google.com> wrote: > Hi! > > I've got the following report while fuzzing the kernel with syzkaller. > > On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+). > > em28xx 1-1:2.0: New device a @ 480 M

usb/media/pvrusb2: WARNING in pvr2_i2c_core_done/sysfs_remove_group

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+). pvrusb2: Hardware description: OnAir Creator Hybrid USB tuner pvrusb2: Invalid write control endpoint ... pvrusb2: Invalid write control endpoint pvrusb2:

usb/media/em28xx: use-after-free in em28xx_dvb_fini

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+). em28xx 1-1:2.0: New device a @ 480 Mbps (eb1a:2801, interface 0, class 0) em28xx 1-1:2.0: Audio interface 0 found (Vendor Class) em28xx 1-1:2.0: chip ID is

[PATCH] media: dib0700: fix invalid dvb_detach argument

24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8 de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00 RIP: symbol_put_addr+0x54/0x60 RSP: 88006a7ce210 ---[ end trace b75b357739e7e116 ]--- Signed-off-by: Andr

Re: [PATCH] media: pvrusb2: properly check endpoint types

On Thu, Nov 2, 2017 at 2:52 PM, Andrey Konovalov <andreyk...@google.com> wrote: > As syzkaller detected, pvrusb2 driver submits bulk urb withount checking > the the endpoint type is actually blunk. Add a check. > > usb 1-1: BOGUS urb xfer, pipe 3 != type 1 > -

[PATCH] media: pvrusb2: properly check endpoint types

ff ff 48 8d b8 98 00 00 00 e8 ee 82 89 fe 45 89 e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 40 c0 ea 86 e8 30 1b dc fc <0f> ff e9 9b f7 ff ff e8 aa 95 25 fd e9 80 f7 ff ff e8 50 74 f3 ---[ end trace 6919030503719da6 ]--- Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- drive

Re: [RFT] media: dvb_frontend: Fix use-after-free in __dvb_frontend_free

utdated tree, which doesn't contain the commit that seems to have caused the bug (ead666000a5fe34bdc82d61838e4df2d416ea15e). Thanks! > > Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com> > --- > This bug report by Andrey Konovalov (usb/media/dtt200u: use-after-free > in _

Re: usb/media/dtt200u: use-after-free in __dvb_frontend_free

On Mon, Oct 23, 2017 at 8:58 PM, Matthias Schwarzott <z...@gentoo.org> wrote: > Am 23.10.2017 um 16:41 schrieb Andrey Konovalov: >> Hi! >> >> I've got the following report while fuzzing the kernel with syzkaller. >> >> On commit 3e0cc09a3a2c40ec1ffb6b4e12da

usb/media/au0828: use-after-free in au0828_rc_unregister

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+). au0828: recv_control_msg() Failed receiving control message, error -71. au0828: recv_control_msg() Failed receiving control message, error -71. au0828:

usb/media/mxl111sf: trying to register non-static key in mxl111sf_ctrl_msg

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+). usb 1-1: New USB device found, idVendor=2040, idProduct=c602 usb 1-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0 usb 1-1: Product: a usb 1-1:

usb/media/dtt200u: use-after-free in __dvb_frontend_free

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+). dvb-usb: found a 'WideView WT-220U PenType Receiver (based on ZL353)' in warm state. dvb-usb: bulk message failed: -22 (2/1102416563) dvb-usb: will use the

Re: [PATCH] media: imon: Fix null-ptr-deref in imon_probe

On Mon, Oct 9, 2017 at 8:14 PM, Arvind Yadav <arvind.yadav...@gmail.com> wrote: > It seems that the return value of usb_ifnum_to_if() can be NULL and > needs to be checked. Hi Arvind, Your patch fixes the issue. Thanks! Tested-by: Andrey Konovalov <andreyk...@google.com&g

usb/media/imon: null-ptr-deref in imon_probe

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4). It seems that the return value of usb_ifnum_to_if() can be NULL and needs to be checked. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by

usb/media/imon: global-out-of-bounds in imon_probe/imon_init_intf0

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4). It seems that imon_ir_raw doesn't have the .key_table initializer, which causes out-of-bounds access when iterating over the key table.

usb/media/uvc: BUG in uvc_mc_create_links/media_create_pad_link

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 9e66317d3c92ddaab330c125dfe9d06eee268aff (4.14-rc3). uvcvideo: Found UVC 0.00 device a (2833:0201) uvcvideo 1-1:3.92: Entity type for entity Output 2 was not initialized! [ cut here ]

usb/media/v4l2: use-after-free in video_unregister_device/device_del

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 9e66317d3c92ddaab330c125dfe9d06eee268aff (4.14-rc3). usb 1-1: config 48 interface 0 altsetting 0 endpoint 0x4 has invalid maxpacket 1956, setting to 64 usb 1-1: New USB device found, idVendor=0573,

Re: [RFT] [media] siano: FIX use-after-free in worker_thread

On Wed, Sep 27, 2017 at 8:38 PM, arvind <arvind.yadav...@gmail.com> wrote: > > > On Wednesday 27 September 2017 05:47 PM, Andrey Konovalov wrote: > > On Wed, Sep 27, 2017 at 2:00 PM, Andrey Konovalov <andreyk...@google.com> > wrote: > > On Wed, Se

Re: [RFT v2] [media] siano: FIX use-after-free in worker_thread

6b86b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == Thanks! > --- > This bug report by Andrey Konovalov "usb/media/smsusb: use-after-free in > worker_thread". > changes in v2 : > call f

Re: [RFT] [media] siano: FIX use-after-free in worker_thread

On Wed, Sep 27, 2017 at 2:00 PM, Andrey Konovalov <andreyk...@google.com> wrote: > On Wed, Sep 27, 2017 at 11:21 AM, Arvind Yadav > <arvind.yadav...@gmail.com> wrote: >> If CONFIG_MEDIA_CONTROLLER_DVB is enable, We are not releasing >> media device and memory on any

Re: [RFT] [media] siano: FIX use-after-free in worker_thread

b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 88006a2b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ====== > --- > This bug report by Andrey Konovalov "usb/media/smsusb: use-after-free in >

Re: [PATCH 2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner

d by NULL-ptr deref or user memory access > general protection fault: [#1] PREEMPT SMP KASAN > > Reported-by: Andrey Konovalov <andreyk...@google.com> > Signed-off-by: Malcolm Priestley <tvbox...@gmail.com> Tested-by: Andrey Konovalov <andreyk...@googl

Re: usb/media/uvc: warning in uvc_scan_chain_forward/__list_add

On Tue, Sep 26, 2017 at 2:50 PM, Laurent Pinchart <laurent.pinch...@ideasonboard.com> wrote: > Hi Andrey, > > On Tuesday, 26 September 2017 15:41:45 EEST Andrey Konovalov wrote: >> On Tue, Sep 26, 2017 at 10:43 AM, Laurent Pinchart wrote: >> > On Monday, 25 Septe

Re: usb/media/uvc: warning in uvc_scan_chain_forward/__list_add

On Tue, Sep 26, 2017 at 10:43 AM, Laurent Pinchart <laurent.pinch...@ideasonboard.com> wrote: > Hi Andrey, > > On Monday, 25 September 2017 15:40:13 EEST Andrey Konovalov wrote: >> Hi! >> >> I've got the following report while fuzzing the kernel with syzkal

usb/media/b2c2: GPF in flexcop_usb_transfer_init

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2). It seems that there's no check on the actual number of endpoints. usb 1-1: New USB device strings: Mfr=212, Product=0, SerialNumber=6 usb 1-1: Manufacturer:

Re: usb/media/lmedm04: GPF in lme2510_int_read/usb_pipe_endpoint

On Mon, Sep 25, 2017 at 3:30 PM, Malcolm Priestley <tvbox...@gmail.com> wrote: > > > On 25/09/17 13:39, Andrey Konovalov wrote: >> >> Hi! >> >> I've got the following report while fuzzing the kernel with syzkaller. >> >> On commit e19b205be43d11b

usb/media/uvc: warning in uvc_scan_chain_forward/__list_add

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2). list_add double add: new=880069084010, prev=880069084010, next=880067d22298. [ cut here ] WARNING: CPU: 1 PID: 1846 at

usb/media/lmedm04: GPF in lme2510_int_read/usb_pipe_endpoint

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2). usb 1-1: new full-speed USB device number 2 using dummy_hcd gadgetfs: connected gadgetfs: disconnected gadgetfs: connected usb 1-1: config 63 interface 0

Re: usb/media/hdpvr: trying to register non-static key in hdpvr_probe

On Fri, Sep 22, 2017 at 3:09 PM, Arvind Yadav <arvind.yadav...@gmail.com> wrote: > Hi Andrey, > > > On Friday 22 September 2017 05:16 PM, Andrey Konovalov wrote: >> >> On Fri, Sep 22, 2017 at 9:41 AM, Arvind Yadav <arvind.yadav...@gmail.com> >> wrote:

Re: [PATCH] [media] hdpvr: Fix an error handling path in hdpvr_probe()

o No need to flash any work here. > Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail. > > Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com> Reported-by: Andrey Konovalov <andreyk...@google.com> Thanks, this fixes the crash! Tested-by:

usb/media/stkwebcam: use-after-free in v4l2_ctrl_handler_free

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). == BUG: KASAN: use-after-free in v4l2_ctrl_handler_free+0x9e1/0x9f0 Read of size 8 at addr

usb/media/dib0700: BUG in stk7070p_frontend_attach/symbol_put_addr

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). dib0700: stk7070p_frontend_attach: state->dib7000p_ops.i2c_enumeration failed. Cannot continue [ cut here ] kernel BUG at

usb/media/zr364xx: GPF in zr364xx_vidioc_querycap/strlcpy

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). usb 1-1: new full-speed USB device number 2 using dummy_hcd gadgetfs: connected gadgetfs: disconnected gadgetfs: connected usb 1-1: config 225 has an invalid

Re: usb/media/hdpvr: trying to register non-static key in hdpvr_probe

e dev->worker is initialized. Could you send a fix? I'm able to reproduce the issue, so I can test your patches if needed. Thanks! > > > On Thursday 21 September 2017 09:09 PM, Andrey Konovalov wrote: >> >> Hi! >> >> I've

usb/media/hdpvr: trying to register non-static key in hdpvr_probe

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 0 PID: 24 Comm:

usb/media/smsusb: use-after-free in worker_thread

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). smsusb:smsusb_probe: board id=1, interface number 0 smsusb:siano_media_device_register: media controller created smsusb:smsusb1_detectmode: product string not

Re: [PATCH] [media] cx231xx-cards: fix NULL-deref on missing association descriptor

4): Add cx231xx USB driver") > Cc: stable <sta...@vger.kernel.org> # 2.6.30 > Cc: Sri Deevi <srinivasa.de...@conexant.com> > Reported-by: Andrey Konovalov <andreyk...@google.com> > Signed-off-by: Johan Hovold <jo...@kernel.org> Tested-by: Andrey Kon

Re: usb/media/pvrusb2: warning in pvr2_send_request_ex/usb_submit_urb

sure, exploitable bugs in PCE-Express device drivers would be a viable attack vector for systems with proper IOMMU support. Same goes for any other hot-pluggable externally accessible port/protocol. > > -Mike [1] https://int3.cc/products/facedancer21 [2] https://www.raspberrypi.org/pro

usb/media/pvrusb2: warning in pvr2_send_request_ex/usb_submit_urb

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). There seems to be no check on endpoint type before submitting bulk urb in pvr2_send_request_ex(). usb 1-1: New USB device found, idVendor=2040, idProduct=7500

usb/media/smsusb: null-ptr-deref in smsusb_init_device

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). The null-ptr-deref happens on dev->udev->ep_in[1]->desc.wMaxPacketSize. There seems to be no check on the number of endpoints. usb 1-1: New USB device found,

usb/media/cx231xx: null-ptr-deref in cx231xx_usb_probe

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). The null-ptr-deref happens on assoc_desc->bFirstInterface, where assoc_desc = udev->actconfig->intf_assoc[0]. There seems to be no check that the device