You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is no usb_giveback_urb function, maybe the reporter meant __usb_hcd_giveback_urb or usb_hcd_giveback_urb?
There are no goto's or loops in either function.
usb_giveback_urb_bh does have two loops, but it's clear that both loops must always terminate. It looks like the actual issue is related to drivers/media/rc/imon.c continually resubmitting urbs making the system unusable.
The text was updated successfully, but these errors were encountered:
For starters, I also agree with Russ' observations.
I wonder if the offending code meant by @wanrenmi on the report was a restart goto on usb_giveback_urb_bh() that was removed on v6.0-rc1 commit torvalds/linux@26c6c2f .
Furthermore, I am not a debian/ubuntu based distro user, but I also wonder if the NVR mentioned on the report (v6.3.7) is some sort of debian/ubuntu kernel NVR. I think this is so, mostly because by the report, I am guessing that @wanrenmi apparently used the usbfuzz-afl to reproduce this PoC/CVE.
The instructions on how to setup the debian image, run it with the provided qemu-system-x86_64, patch the kernel to add a custom KVM inter-VM shared memory driver (ivshmem); while also patching the kernel to save a prev_loc variable on the stack during interrupts that will be read by the ivshmem driver can be found here: https://github.com/HexHive/USBFuzz/tree/master .
Hence, in the case this test was run in a debian kernel which did not include commit 26c6c2f8a907, maybe a retest would certainly be welcome to verify if this patch fixes this CVE and in consequence makes imon stop resubmitting urbs.
There's several issues with this report.
usb_giveback_urb_bh does have two loops, but it's clear that both loops must always terminate. It looks like the actual issue is related to drivers/media/rc/imon.c continually resubmitting urbs making the system unusable.
The text was updated successfully, but these errors were encountered: