1. Patchew
  2. linux
  3. [PATCH 0/2] USB: sisusbvga: Fix integer overflow and NULL dereference
  4. View patch

[PATCH 2/2] USB: sisusbvga: Fix NULL pointer dereference in sisusb_read

Vasiliy Kovalev posted 2 patches 1 month, 2 weeks ago
There is a newer version of this series
[PATCH 2/2] USB: sisusbvga: Fix NULL pointer dereference in sisusb_read
Posted by Vasiliy Kovalev 1 month, 2 weeks ago 
sisusb_read() passes the user-supplied buffer pointer as 'userbuffer' to
sisusb_read_mem_bulk() in two branches:

    /* VRAM path */
    errno = sisusb_read_mem_bulk(sisusb, address,
            NULL, count, buffer, &bytes_read);

    /* MMIO path */
    errno = sisusb_read_mem_bulk(sisusb, address,
            NULL, count, buffer, &bytes_read);

If buffer == NULL (e.g. read(fd, NULL, count) from userspace), both calls
reach sisusb_read_mem_bulk() with kernbuffer=NULL and userbuffer=NULL.
The condition:

    if (userbuffer)

evaluates to false, the kernbuffer path is taken, and the subsequent
dereference:

    swap32 = *((u32 *)kernbuffer);

panics the kernel:

  Oops: general protection fault, probably for non-canonical
        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
  CPU: 3 UID: 0 PID: 370 Comm: sisusbvga-fops- Not tainted 6.19.0-next-20260217 #1
  RIP: 0010:sisusb_read_mem_bulk.constprop.0 (drivers/usb/misc/sisusbvga/sisusbvga.c:1171)
  Call Trace:
   <TASK>
   __pfx_sisusb_read_mem_bulk.constprop.0 (drivers/usb/misc/sisusbvga/sisusbvga.c:1092)
   sisusb_read (drivers/usb/misc/sisusbvga/sisusbvga.c:2396)
   vfs_read (fs/read_write.c:572)
   ksys_read (fs/read_write.c:718)
   do_syscall_64 (arch/x86/entry/syscall_64.c:94)
   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
   RIP: 0033:0x7f335af3fefc
   </TASK>

Add a NULL check after the existing sanity checks, before the first
branch, to guard both the VRAM and the MMIO paths. Release the mutex
before returning, consistent with the existing -ENODEV path above.

Found by Linux Verification Center (linuxtesting.org) with Svace.
Tested with 'USB Gadget Tests'[1]:

$ TEST=sisusbvga-fops-svace-null-deref
$ echo $TEST > tests/list.txt && make && sudo ./check.sh

[1] Link: https://github.com/kovalev0/usb-gadget-tests
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org>
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
 drivers/usb/misc/sisusbvga/sisusbvga.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/misc/sisusbvga/sisusbvga.c b/drivers/usb/misc/sisusbvga/sisusbvga.c
index 89d566d192aa..e14deb1955d9 100644
--- a/drivers/usb/misc/sisusbvga/sisusbvga.c
+++ b/drivers/usb/misc/sisusbvga/sisusbvga.c
@@ -2319,6 +2319,11 @@ static ssize_t sisusb_read(struct file *file, char __user *buffer,
 		return -ENODEV;
 	}
 
+	if (!buffer) {
+		mutex_unlock(&sisusb->lock);
+		return -EFAULT;
+	}
+
 	if ((*ppos) >= SISUSB_PCI_PSEUDO_IOPORTBASE &&
 			(*ppos) <  SISUSB_PCI_PSEUDO_IOPORTBASE + 128) {
 
-- 
2.50.1
Re: [lvc-project] [PATCH 2/2] USB: sisusbvga: Fix NULL pointer dereference in sisusb_read
Posted by Fedor Pchelkin 1 month, 1 week ago 
Hi there,

On Wed, 18. Feb 03:55, Vasiliy Kovalev wrote:
> sisusb_read() passes the user-supplied buffer pointer as 'userbuffer' to
> sisusb_read_mem_bulk() in two branches:
> 
>     /* VRAM path */
>     errno = sisusb_read_mem_bulk(sisusb, address,
>             NULL, count, buffer, &bytes_read);
> 
>     /* MMIO path */
>     errno = sisusb_read_mem_bulk(sisusb, address,
>             NULL, count, buffer, &bytes_read);
> 
> If buffer == NULL (e.g. read(fd, NULL, count) from userspace), both calls
> reach sisusb_read_mem_bulk() with kernbuffer=NULL and userbuffer=NULL.
> The condition:
> 
>     if (userbuffer)
> 
> evaluates to false, the kernbuffer path is taken, and the subsequent
> dereference:
> 
>     swap32 = *((u32 *)kernbuffer);
> 
> panics the kernel:
> 
>   Oops: general protection fault, probably for non-canonical
>         address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
>   KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
>   CPU: 3 UID: 0 PID: 370 Comm: sisusbvga-fops- Not tainted 6.19.0-next-20260217 #1
>   RIP: 0010:sisusb_read_mem_bulk.constprop.0 (drivers/usb/misc/sisusbvga/sisusbvga.c:1171)
>   Call Trace:
>    <TASK>
>    __pfx_sisusb_read_mem_bulk.constprop.0 (drivers/usb/misc/sisusbvga/sisusbvga.c:1092)
>    sisusb_read (drivers/usb/misc/sisusbvga/sisusbvga.c:2396)
>    vfs_read (fs/read_write.c:572)
>    ksys_read (fs/read_write.c:718)
>    do_syscall_64 (arch/x86/entry/syscall_64.c:94)
>    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
>    RIP: 0033:0x7f335af3fefc
>    </TASK>

This implies the error might be hiding in sisusb_read_mem_bulk().  Its
API should clarify the valid combinations of kernbuffer and userbuffer.
Just like sisusb_write_mem_bulk() does, see comment for that function:

 * If data is from userland, set "userbuffer" (and clear "kernbuffer"),
 * if data is in kernel space, set "kernbuffer" (and clear "userbuffer");
 * if neither "kernbuffer" nor "userbuffer" are given, it is assumed
 * that the data already is in the transfer buffer "sisusb->obuf[index]".

I guess something like that may be relevant for sisusb_read_mem_bulk()
as well, e.g. use sisusb->ibuf by default if both buffers are NULL.
Though it's only a blind guess.

I'd rather suggest making sisusb_read_mem_bulk() check kernbuffer and
userbuffer itself and return an error if both of them happen to be NULL.
That at least keeps current behavior, too.

> 
> Add a NULL check after the existing sanity checks, before the first
> branch, to guard both the VRAM and the MMIO paths. Release the mutex
> before returning, consistent with the existing -ENODEV path above.
> 
> Found by Linux Verification Center (linuxtesting.org) with Svace.
> Tested with 'USB Gadget Tests'[1]:
> 
> $ TEST=sisusbvga-fops-svace-null-deref
> $ echo $TEST > tests/list.txt && make && sudo ./check.sh
> 
> [1] Link: https://github.com/kovalev0/usb-gadget-tests
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
> ---
>  drivers/usb/misc/sisusbvga/sisusbvga.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/usb/misc/sisusbvga/sisusbvga.c b/drivers/usb/misc/sisusbvga/sisusbvga.c
> index 89d566d192aa..e14deb1955d9 100644
> --- a/drivers/usb/misc/sisusbvga/sisusbvga.c
> +++ b/drivers/usb/misc/sisusbvga/sisusbvga.c
> @@ -2319,6 +2319,11 @@ static ssize_t sisusb_read(struct file *file, char __user *buffer,
>  		return -ENODEV;
>  	}
>  
> +	if (!buffer) {
> +		mutex_unlock(&sisusb->lock);
> +		return -EFAULT;
> +	}

It's possible to perform the check without grabbing the mutex overall.
Another nit: this returns -EFAULT.  I think it's is supposed to be used
when the actual page fault has happened.  Incorrect parameters are usually
denied with -EINVAL.  Anyway, that's not a big deal here and there is no
strict documentation on that part.

Thanks.

> +
>  	if ((*ppos) >= SISUSB_PCI_PSEUDO_IOPORTBASE &&
>  			(*ppos) <  SISUSB_PCI_PSEUDO_IOPORTBASE + 128) {
>  
> -- 
> 2.50.1

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.