Description of issue is incorrect.

[russdill]

There's several issues with this report.

• There is no usb_giveback_urb function, maybe the reporter meant __usb_hcd_giveback_urb or usb_hcd_giveback_urb?
• There are no goto's or loops in either function.

usb_giveback_urb_bh does have two loops, but it's clear that both loops must always terminate. It looks like the actual issue is related to drivers/media/rc/imon.c continually resubmitting urbs making the system unusable.

[desnesn]

Hello @wanrenmi @russdill ,

Hope things are well with both of you.

For starters, I also agree with Russ' observations.

I wonder if the offending code meant by @wanrenmi on the report was a restart goto on usb_giveback_urb_bh() that was removed on v6.0-rc1 commit torvalds/linux@26c6c2f .

Furthermore, I am not a debian/ubuntu based distro user, but I also wonder if the NVR mentioned on the report (v6.3.7) is some sort of debian/ubuntu kernel NVR. I think this is so, mostly because by the report, I am guessing that @wanrenmi apparently used the usbfuzz-afl to reproduce this PoC/CVE.

The instructions on how to setup the debian image, run it with the provided qemu-system-x86_64, patch the kernel to add a custom KVM inter-VM shared memory driver (ivshmem); while also patching the kernel to save a prev_loc variable on the stack during interrupts that will be read by the ivshmem driver can be found here: https://github.com/HexHive/USBFuzz/tree/master .

Hence, in the case this test was run in a debian kernel which did not include commit 26c6c2f8a907, maybe a retest would certainly be welcome to verify if this patch fixes this CVE and in consequence makes imon stop resubmitting urbs.

Thanks in advance for any help on the matter @wanrenmi and @russdill

Best Regards,