On Mon, Sep 19, 2016 at 11:47:40AM +0200, Martin Pieuchot wrote: > On 19/09/16(Mon) 14:20, Jonathan Gray wrote: > > On Sat, Sep 17, 2016 at 04:36:12PM +0200, Martin Pieuchot wrote: > > > One of the non-checked value read from an untrusted descriptor is the > > > "maximum packet size" of an endpoint. If a device reports an incorrect > > > value most of our HC drivers wont work and if this value is 0 ehci(4) > > > will crash the kernel. > > > > > > So here's a diff to validate the value read from the device descriptor > > > which ends up being the value of the default endpoint. > > > > > > ok? > > > > This patch made vmware hang when attaching xhci uhubs. > > > > usbd_new_device bus=0xffff8000001e4000 port=0 depth=0 speed=4 > > usbd_new_device: adding unit addr=1, rev=300, class=9, subclass=0, > > protocol=1, maxpacket=9, len=18, speed=4 > > usb2: root hub problem > > > > usbd_new_device mps 9 mps0 512 > > > > It would appear that for superspeed devices maxpacketsize0 is a power > > of 2? ie 2^9 is 512. > > You're correct, here's a fix.
Thanks, this patch works with the same setup. ok jsg@ I think the - (mps != 8 || mps != 16 || mps != 32 || mps != 64)) { + (mps != 8 && mps != 16 && mps != 32 && mps != 64)) part of the one I sent sound go in as well? > > Index: usb_subr.c > =================================================================== > RCS file: /cvs/src/sys/dev/usb/usb_subr.c,v > retrieving revision 1.129 > diff -u -p -r1.129 usb_subr.c > --- usb_subr.c 18 Sep 2016 09:51:24 -0000 1.129 > +++ usb_subr.c 19 Sep 2016 09:42:58 -0000 > @@ -1175,8 +1175,12 @@ usbd_new_device(struct device *parent, s > } > > mps = dd->bMaxPacketSize; > - if (speed == USB_SPEED_SUPER && mps == 0xff) > - mps = 512; > + if (speed == USB_SPEED_SUPER) { > + if (mps == 0xff) > + mps = 9; > + /* xHCI Section 4.8.2.1 */ > + mps = (1 << mps); > + } > > if (mps != mps0) { > if ((speed == USB_SPEED_LOW) || >