Bug#994535: linux: u2fzero driver crashes when the device is quickly removed
Source: linux
Severity: minor
Tags: patch upstream
Control: forwarded -1 https://bugzilla.kernel.org/show_bug.cgi?id=214437
Hi,
I ran into this bug in the code I wrote myself some years ago.
Sometimes the driver crashes with a buffer overflow upon the device
insertion. After the crash, often neither U2F nor RNG functionality is
available.
I ran into this bug on Ubuntu, but the code basically hasn’t changed a
lot since the driver was merged.
usb 2-2: USB disconnect, device number 18
detected buffer overflow in memcpy
------------[ cut here ]------------
kernel BUG at lib/string.c:1149!
invalid opcode: 0000 [#1] SMP PTI
CPU: 1 PID: 61299 Comm: hwrng Tainted: G IOE 5.11.0-25-generic #27-Ubuntu
Hardware name: LENOVO 20CM001UUK/20CM001UUK, BIOS N10ET27W (1.04 ) 12/01/2014
RIP: 0010:fortify_panic+0x13/0x15
Code: 35 96 77 36 01 48 c7 c7 6b 01 81 8a e8 d3 c3 fe ff 41 5c 41 5d 5d c3 55 48 89 fe 48 c7 c7 b8 01 81 8a 48 89 e5 e8 ba c3 fe ff <0f> 0b 48 c7 c7 90 f7 48 8a e8 df ff ff ff 48 c7 c7 98 f7 48 8a e8
RSP: 0018:ffffb04803df3e28 EFLAGS: 00010246
RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8de3bdc58ac0 RDI: ffff8de3bdc58ac0
RBP: ffffb04803df3e28 R08: 0000000000000000 R09: ffffb04803df3c20
R10: ffffb04803df3c18 R11: ffffffff8af53588 R12: ffff8de089aa7440
R13: ffff8de2c3862598 R14: 0000000000000000 R15: ffffb0480366f428
FS: 0000000000000000(0000) GS:ffff8de3bdc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa10098f000 CR3: 00000002bec10004 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
u2fzero_rng_read.cold+0xc/0xc [hid_u2fzero]
hwrng_fillfn+0xd8/0x180
kthread+0x12f/0x150
? enable_best_rng+0x70/0x70
? __kthread_bind_mask+0x70/0x70
ret_from_fork+0x22/0x30
Modules linked in: hid_u2fzero hid_generic usbhid hid usb_serial_simple usbserial ccm xt_nat veth nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter bridge stp llc vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) bnep snd_seq_dummy snd_hrtimer ip6t_REJECT nf_reject_ipv6 ip6t_rpfilter xt_tcpudp ipt_REJECT nf_reject_ipv4 xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_counter overlay ip6_tables nft_compat ip_set nf_tables nfnetlink nls_iso8859_1 binfmt_misc joydev intel_rapl_msr mei_hdcp snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi uvcvideo snd_hda_intel btusb btrtl intel_rapl_common snd_intel_dspcfg soundwire_intel x86_pkg_temp_thermal soundwire_generic_allocation intel_powerclamp btbcm soundwire_cadence coretemp snd_hda_codec btintel snd_hda_core cdc_mbim kvm_intel cdc_wdm snd_hwdep bluetooth cdc_ncm cdc_ether snd_seq_midi ecdh_generic soundwire_bus snd_seq_midi_event cdc_acm ecc usbnet mii kvm
rmi_smbus snd_soc_core snd_compress rapl rmi_core intel_cstate ac97_bus snd_rawmidi snd_pcm_dmaengine videobuf2_vmalloc snd_pcm input_leds iwlmvm videobuf2_memops mac80211 serio_raw wmi_bmof efi_pstore videobuf2_v4l2 libarc4 videobuf2_common snd_seq iwlwifi snd_seq_device snd_timer videodev at24 intel_pch_thermal mc cfg80211 thinkpad_acpi nvram ledtrig_audio mei_me mei snd soundcore mac_hid sch_fq_codel pkcs8_key_parser msr parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs blake2b_generic xor raid6_pq libcrc32c dm_crypt crct10dif_pclmul i915 rtsx_pci_sdmmc crc32_pclmul i2c_algo_bit ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper lpc_ich drm_kms_helper syscopyarea sysfillrect psmouse sysimgblt fb_sys_fops cec ahci i2c_i801 libahci rc_core i2c_smbus e1000e rtsx_pci drm xhci_pci xhci_pci_renesas wmi video
---[ end trace e7936f97d201c167 ]---
RIP: 0010:fortify_panic+0x13/0x15
Code: 35 96 77 36 01 48 c7 c7 6b 01 81 8a e8 d3 c3 fe ff 41 5c 41 5d 5d c3 55 48 89 fe 48 c7 c7 b8 01 81 8a 48 89 e5 e8 ba c3 fe ff <0f> 0b 48 c7 c7 90 f7 48 8a e8 df ff ff ff 48 c7 c7 98 f7 48 8a e8
RSP: 0018:ffffb04803df3e28 EFLAGS: 00010246
RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8de3bdc58ac0 RDI: ffff8de3bdc58ac0
RBP: ffffb04803df3e28 R08: 0000000000000000 R09: ffffb04803df3c20
R10: ffffb04803df3c18 R11: ffffffff8af53588 R12: ffff8de089aa7440
R13: ffff8de2c3862598 R14: 0000000000000000 R15: ffffb0480366f428
FS: 0000000000000000(0000) GS:ffff8de3bdc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa10098f000 CR3: 0000000194fa6005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Please see the patch attached.
--
Cheers,
Andrej
>From 561ecacf79120c88158fb511ff406745cc7e2871 Mon Sep 17 00:00:00 2001
From: Andrej Shadura <andrew.shadura@collabora.co.uk>
Date: Thu, 16 Sep 2021 17:19:14 +0100
Subject: [PATCH] HID: u2fzero: ignore incomplete packets without data
Since the actual_length calculation is performed unsigned, packets
shorter than 7 bytes (e.g. packets without data or otherwise truncated)
or non-received packets ("zero" bytes) can cause buffer overflow.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437
Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG")
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
---
drivers/hid/hid-u2fzero.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index 95e0807878c7..d70cd3d7f583 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -198,7 +198,9 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data,
}
ret = u2fzero_recv(dev, &req, &resp);
- if (ret < 0)
+
+ /* ignore errors or packets without data */
+ if (ret < offsetof(struct u2f_hid_msg, init.data))
return 0;
/* only take the minimum amount of data it is safe to take */
--
2.31.1
Reply to: