Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 03/13/23 in all areas

  1. https://www.facebook.com/ads/library - cred ca de aici Trimite-mi PM cu suma pe care esti dispus sa o platesti (nu m-am documentat inca pe subiectul asta, dar daca se poate prin link-ul de mai sus, o pot face).
    2 points
  2. Salut, cumpar acest model de telefon (Figure1): Conditii: plata: paysafecard; livrare: easybox; stare buna. Figure 1 Astept oferte.
    1 point
  3. Linux USB usbnet tells minidrivers to unbind while netdev is still up, causing use-after-free conditions. Download: GS20230313141819.tgz (10.7 KB) Mirror: usb-ax88172a.c // roughly based off https://github.com/xairy/raw-gadget/blob/master/examples/keyboard.c // NOTE: this is playing fast-and-loose with endianness, it'll break on big-endian systems. #include <err.h> #include <signal.h> #include <stdbool.h> #include <assert.h> #include <alloca.h> #include <errno.h> #include <unistd.h> #include <string.h> #include <stdlib.h> #include <stdio.h> #include <fcntl.h> #include <sys/ioctl.h> #include <linux/usb/cdc.h> #include <linux/usb/raw_gadget.h> #include <linux/mii.h> #include <linux/mdio.h> #define SYSCHK(x) ({ \ typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) static int usb_fd; #define errx(code, ...) { printf(__VA_ARGS__); printf("\n"); while (1) pause(); } struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; }; static struct usb_device_descriptor usb_device = { .bLength = USB_DT_DEVICE_SIZE, .bDescriptorType = USB_DT_DEVICE, .bcdUSB = __constant_cpu_to_le16(0x0200), /* USB 2.0 */ .bDeviceClass = __constant_cpu_to_le16(USB_CLASS_COMM), // is this even used? .bMaxPacketSize0 = 64, /* maximum value the kernel lets us use */ /* "We are a very legit..." (checks notes) "ASIX 88172a demo board" (looks * back up) "and would like to help you get connected to the network!" */ .idVendor = __constant_cpu_to_le16(0x0b95), .idProduct = __constant_cpu_to_le16(0x172a), .iManufacturer = 1, .iProduct = 2, .iSerialNumber = 3, .bNumConfigurations = 1 }; struct usb_config_descriptor usb_config = { .bLength = USB_DT_CONFIG_SIZE, .bDescriptorType = USB_DT_CONFIG, .wTotalLength = 0, // fixed up later .bNumInterfaces = 1, .bConfigurationValue = 1, .iConfiguration = 4, .bmAttributes = USB_CONFIG_ATT_ONE |// must be set USB_CONFIG_ATT_SELFPOWER, .bMaxPower = 0 // no power draw from host }; struct usb_interface_descriptor usb_interface = { .bLength = USB_DT_INTERFACE_SIZE, .bDescriptorType = USB_DT_INTERFACE, .bInterfaceNumber = 0, .bAlternateSetting = 0, .bNumEndpoints = 3, .bInterfaceClass = USB_CLASS_COMM, // ? .bInterfaceSubClass = USB_CDC_SUBCLASS_ETHERNET, .bInterfaceProtocol = USB_CDC_PROTO_NONE, .iInterface = 5, }; struct usb_endpoint_descriptor usb_endpoint_in = { .bLength = USB_DT_ENDPOINT_SIZE, .bDescriptorType = USB_DT_ENDPOINT, .bEndpointAddress = USB_DIR_IN | 1, .bmAttributes = USB_ENDPOINT_XFER_BULK, .wMaxPacketSize = 512, //.bInterval = 1 }; struct usb_endpoint_descriptor usb_endpoint_out = { .bLength = USB_DT_ENDPOINT_SIZE, .bDescriptorType = USB_DT_ENDPOINT, .bEndpointAddress = USB_DIR_OUT | 1, .bmAttributes = USB_ENDPOINT_XFER_BULK, .wMaxPacketSize = 512, //.bInterval = 1 }; struct usb_endpoint_descriptor usb_endpoint_intr = { .bLength = USB_DT_ENDPOINT_SIZE, .bDescriptorType = USB_DT_ENDPOINT, .bEndpointAddress = USB_DIR_IN | 2, .bmAttributes = USB_ENDPOINT_XFER_INT, .wMaxPacketSize = 8, .bInterval = 1 }; unsigned short intr_handle; void usb_reply(void *data, size_t len, size_t req_length) { printf(" REPLY: size %lu, req_length %lu\n", (unsigned long)len, (unsigned long)req_length); if (len > req_length) len = req_length; struct usb_raw_ep_io *io = alloca(sizeof(struct usb_raw_ep_io)+len); io->ep = 0; io->flags = 0; io->length = len; memcpy(io->data, data, len); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP0_WRITE, io)); } void usb_reply_zero(size_t req_length) { char *data = alloca(req_length); memset(data, '\0', req_length); usb_reply(data, req_length, req_length); } void usb_get_and_ack(void *buf, size_t len, size_t req_length) { printf(" ACK OUT: req_length %lu\n", (unsigned long)req_length); struct usb_raw_ep_io *io = alloca(sizeof(struct usb_raw_ep_io)+req_length); memset(io, 0xee, sizeof(struct usb_raw_ep_io)+req_length); io->ep = 0; io->flags = 0; io->length = req_length; //printf("issuing USB_RAW_IOCTL_EP0_READ with io->length=%u\n", io->length); int ret_len = SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP0_READ, io)); assert(ret_len == req_length); if (buf) { if (len > req_length) { memset(buf, '\0', len); len = req_length; } memcpy(buf, ((char*)io)+sizeof(struct usb_raw_ep_io), len); } } void usb_ack(size_t req_length) { usb_get_and_ack(NULL, 0, req_length); } void descr_append(void *buf, size_t *buf_len, void *descr, size_t descr_len) { printf(" descr_append(buf, len, descr, descr_len=%lu with first byte %hhu\n", (unsigned long)descr_len, *(unsigned char *)descr); assert(descr_len <= 255); assert(descr_len >= 2); assert(((unsigned char*)descr)[0] == descr_len); memcpy(buf + *buf_len, descr, descr_len); (*buf_len) += descr_len; ((struct usb_config_descriptor*)buf)->wTotalLength = __cpu_to_le16(*buf_len); } int state = 0; void handle_alarm(int sig) { if (state == 0) state = 1; } int main(int argc, char **argv) { setbuf(stdout, NULL); setbuf(stderr, NULL); usb_fd = SYSCHK(open("/dev/raw-gadget", O_RDWR)); struct usb_raw_init init_args = { .speed = USB_SPEED_HIGH }; strcpy(init_args.driver_name, argv[1]); strcpy(init_args.device_name, argv[2]); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_INIT, &init_args)); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_RUN, 0)); struct sigaction alarm_act = { .sa_handler = handle_alarm, .sa_flags = 0 }; if (sigaction(SIGALRM, &alarm_act, NULL)) err(1, "sigaction"); //alarm(30); while (1) { if (state == 1) { printf("===================== BRINGING LINK UP =====================\n"); state = 2; struct { struct usb_raw_ep_io io; struct { /*ax88172_int_data*/ unsigned short res1; unsigned char link; unsigned short res2; unsigned char status; unsigned short res3; unsigned int intdata2; } __attribute__((packed)) data; } io_with_data = { .io = { .ep = intr_handle, .flags = 0, .length = sizeof(io_with_data.data) }, .data = { .link = 1 } }; SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_WRITE, &io_with_data)); /* close(usb_fd); exit(0); */ } struct usb_raw_control_event control_ev = { .inner = { .type = 0, .length = sizeof(control_ev.ctrl) } }; int res = ioctl(usb_fd, USB_RAW_IOCTL_EVENT_FETCH, &control_ev); if (res == -1) { if (errno == EINTR) continue; err(1, "USB_RAW_IOCTL_EVENT_FETCH"); } if (control_ev.inner.type == USB_RAW_EVENT_CONNECT) { // nothing to do } else if (control_ev.inner.type == USB_RAW_EVENT_CONTROL) { unsigned req_length = __le16_to_cpu(control_ev.ctrl.wLength); bool is_dir_in = (control_ev.ctrl.bRequestType & USB_DIR_IN) != 0; printf("got control (in=%d, wLength=%u):\n", is_dir_in, req_length); switch (control_ev.ctrl.bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch(control_ev.ctrl.bRequest) { case USB_REQ_GET_DESCRIPTOR: { unsigned descriptor_type = control_ev.ctrl.wValue >> 8; switch (descriptor_type) { case USB_DT_DEVICE: printf(" getting device descriptor\n"); usb_reply(&usb_device, sizeof(usb_device), req_length); break; case USB_DT_CONFIG: { printf(" getting dt config\n"); char dt_config[1024*128]; size_t dt_config_len = 0; descr_append(dt_config, &dt_config_len, &usb_config, sizeof(usb_config)); descr_append(dt_config, &dt_config_len, &usb_interface, sizeof(usb_interface)); descr_append(dt_config, &dt_config_len, &usb_endpoint_in, USB_DT_ENDPOINT_SIZE); descr_append(dt_config, &dt_config_len, &usb_endpoint_out, USB_DT_ENDPOINT_SIZE); descr_append(dt_config, &dt_config_len, &usb_endpoint_intr, USB_DT_ENDPOINT_SIZE); usb_reply(dt_config, dt_config_len, req_length); } break; case USB_DT_STRING: { unsigned string_id = control_ev.ctrl.wValue & 0xff; printf(" getting string %d\n", string_id); if (string_id == 0) { unsigned char string_descr[] = { 4/*length*/, USB_DT_STRING, 0x09, 0x04 /* English - United States */ }; usb_reply(string_descr, sizeof(string_descr), req_length); } else { unsigned char string_descr[] = { 12/*length*/, USB_DT_STRING, 'D',0,'U',0,'M',0,'M',0,'Y',0 }; usb_reply(string_descr, sizeof(string_descr), req_length); } } break; default: errx(1, "USB_REQ_GET_DESCRIPTOR: descriptor_type=%x", descriptor_type); } } break; case USB_REQ_SET_CONFIGURATION: { printf(" set configuration\n"); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_in)); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_out)); intr_handle = SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_intr)); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_CONFIGURE, 0)); usb_ack(req_length); } break; case USB_REQ_SET_INTERFACE: { printf(" set interface\n"); usb_ack(req_length); } break; default: errx(1, "unknown standard ctrlrequest 0x%x", (unsigned)control_ev.ctrl.bRequest); } break; case USB_TYPE_CLASS: errx(1, "unknown class ctrlrequest"); case USB_TYPE_VENDOR: printf(" vendor ctrlrequest bRequest=0x%02hhx wValue=0x%04hx wIndex=0x%04hx wLength=0x%04hx\n", control_ev.ctrl.bRequest, control_ev.ctrl.wValue, control_ev.ctrl.wIndex, control_ev.ctrl.wLength); if (!is_dir_in) { usb_ack(req_length); continue; } switch (control_ev.ctrl.bRequest) { #if 1 case 0x01/*AX_ACCESS_MAC*/: { static unsigned char srom_addr; static const unsigned short ledvalue = (1<<15/*LED_VALID*/); printf(" AX_ACCESS_MAC\n"); switch (control_ev.ctrl.wValue) { case 0x02/*PHYSICAL_LINK_STATUS*/: { printf(" PHYSICAL_LINK_STATUS\n"); /* Linux checks AX_USB_SS and AX_USB_HS, influences URB size: * ->rx_urb_size * can be 0x5000 / 0x6000 / 0x6800 / 0x6800 * We prefer the smallest one (0x5000), which we get from * setting AX_USB_SS plus GMII_PHY_PHYSR_GIGA. */ unsigned char pl_status = 0x04; /*AX_USB_SS*/ usb_reply(&pl_status, sizeof(pl_status), req_length); } break; case 0x03/*GENERAL_STATUS*/: { printf(" GENERAL_STATUS\n"); unsigned short general_status = __cpu_to_le16(0x04/*AX_SECLD*/); usb_reply(&general_status, 2, req_length); } break; case 0x07/*AX_SROM_ADDR*/: { printf(" AX_SROM_ADDR\n"); usb_get_and_ack(&srom_addr, 1, req_length); printf(" SROM address: 0x%hhx\n", srom_addr); } break; case 0x08/*AX_SROM_DATA_LOW*/: { printf(" AX_SROM_DATA_LOW from 0x%hhx\n", srom_addr); if (srom_addr < 6) { unsigned char eeprom_head[12] = { /*0-5*/0, 0, 0, 0, 0, 0, // dontcare (first must not be FF) /*6-9*/0, 0, 0, 0, // checksummed /*10*/0xff // checksum }; usb_reply(eeprom_head + srom_addr*2, 2, req_length); } else if (srom_addr == 0x42) { unsigned char b = 8 & 0xff; usb_reply(&b, 1, req_length); } else { errx(1, "unhandled SROM range"); } } break; case 0x09/*AX_SROM_DATA_HIGH*/: { printf(" AX_SROM_DATA_HIGH from 0x%hhx\n", srom_addr); if (srom_addr == 0x42) { unsigned char b = ledvalue >> 8; usb_reply(&b, 1, req_length); } else { errx(1, "unhandled SROM range"); } } break; case 0x0a/*AX_SROM_CMD*/: { printf(" AX_SROM_CMD\n"); if (is_dir_in) { unsigned char value = 0; // EEP_BUSY would spin until timeout usb_reply(&value, 1, req_length); } else { usb_ack(req_length); } } break; case 0x0b/*AX_RX_CTL*/: { unsigned short ax_rx_ctl_value; usb_get_and_ack(&ax_rx_ctl_value, sizeof(ax_rx_ctl_value), req_length); printf(" AX_RX_CTL = 0x%04hx ################\n", ax_rx_ctl_value); } break; case 0x16/*AX_MULFLTARY*/: { printf(" AX_MULFLTARY ||||||||||||||||||||||||||||||||||||||||||\n"); usb_ack(req_length); if (state == 0) state = 1; } break; case 0x22/*AX_MEDIUM_STATUS_MODE*/: { printf(" AX_MEDIUM_STATUS_MODE\n"); usb_ack(req_length); } break; case 0x24/*AX_MONITOR_MOD*/: { printf(" AX_MONITOR_MOD\n"); usb_ack(req_length); } break; case 0x26/*AX_PHYPWR_RSTCTL*/: { printf(" AX_PHYPWR_RSTCTL\n"); usb_ack(req_length); } break; case 0x2e/*AX_RX_BULKIN_QCTRL*/: { printf(" AX_RX_BULKIN_QCTRL\n"); usb_ack(req_length); } break; case 0x34/*AX_RXCOE_CTL*/: { printf(" AX_RXCOE_CTL\n"); usb_ack(req_length); } break; case 0x35/*AX_TXCOE_CTL*/: { printf(" AX_TXCOE_CTL\n"); usb_ack(req_length); } break; case 0x54/*AX_PAUSE_WATERLVL_HIGH*/: { printf(" AX_PAUSE_WATERLVL_HIGH\n"); usb_ack(req_length); } break; case 0x55/*AX_PAUSE_WATERLVL_LOW*/: { printf(" AX_PAUSE_WATERLVL_LOW\n"); usb_ack(req_length); } break; case 0x73/*AX_LEDCTRL*/: { printf(" AX_LEDCTRL\n"); usb_ack(req_length); } break; case 0x33/*AX_CLOCK_SELECT*/: { printf(" AX_CLOCK_SELECT\n"); usb_ack(req_length); } break; case 0x10/*AX_NODE_ID*/: { printf(" AX_NODE_ID\n"); if (is_dir_in) { unsigned char mac_addr[] = { 0x00, 0x12, 0x34, 0x56, 0x78, 0x90 }; usb_reply(mac_addr, sizeof(mac_addr), req_length); } else { usb_ack(req_length); } } break; default: if (is_dir_in) { errx(1, " unknown AX_ACCESS_MAC command 0x%02hhx", control_ev.ctrl.wValue); } else { printf(" ignoring unknown OUT AX_ACCESS_MAC command 0x%02hx\n", control_ev.ctrl.wValue); } } } break; case 0x02/*AX_ACCESS_PHY*/: { printf(" AX_ACCESS_PHY\n"); assert(control_ev.ctrl.wValue == 0x03/*AX88179_PHY_ID*/); static unsigned short mmd_id; static bool no_auto_increment; switch (control_ev.ctrl.wIndex) { case MII_BMCR: { /* Basic mode control register */ /* idk what any of these flags actually do in detail... */ printf(" MII_BMCR (basic mode control register)\n"); if (is_dir_in) { unsigned short bmcr_state = BMCR_SPEED1000 | BMCR_FULLDPLX; usb_reply(&bmcr_state, sizeof(bmcr_state), req_length); } else { usb_ack(req_length); } } break; case MII_MMD_CTRL: { printf(" MII_MMD_CTRL\n"); usb_get_and_ack(&mmd_id, 2, req_length); mmd_id &= ~0x4000; no_auto_increment = (mmd_id & 0x4000) != 0; printf(" set ID %d, no-auto-increment %d\n", mmd_id, no_auto_increment); } break; case MII_MMD_DATA: { printf(" MII_MMD_DATA (at ID %d)\n", mmd_id); if (is_dir_in) { switch (mmd_id) { case MDIO_MMD_PCS: printf(" Physical Coding Sublayer\n"); // decoded via mmd_eee_cap_to_ethtool_sup_t() unsigned short eee_caps = MDIO_EEE_1000T; usb_reply(&eee_caps, sizeof(eee_caps), req_length); break; case MDIO_MMD_AN: printf(" Auto-Negotiation\n"); // WARNING: this is actually used in two different // contexts unsigned short eee_adv = MDIO_EEE_1000T; usb_reply(&eee_adv, sizeof(eee_adv), req_length); break; default: errx(1, "unknown ID %d", mmd_id); } } else { usb_ack(req_length); } } break; case MII_PHYADDR: { printf(" MII_PHYADDR\n"); usb_ack(req_length); } break; case 0x11/*GMII_PHY_PHYSR*/: { printf(" MII_PHY_PHYSR\n"); unsigned short physr = 0x0400/*GMII_PHY_PHYSR_LINK*/ | 0x8000/*GMII_PHY_PHYSR_GIGA*/; usb_reply(&physr, sizeof(physr), req_length); } break; case 0x1a/*GMII_LED_ACT*/: { printf(" GMII_LED_ACT\n"); if (is_dir_in) { unsigned short ledact = 0; usb_reply(&ledact, sizeof(ledact), req_length); } else { usb_ack(req_length); } } break; case 0x1c/*GMII_LED_LINK*/: { printf(" GMII_LED_LINK\n"); if (is_dir_in) { unsigned short ledlink = 0; usb_reply(&ledlink, sizeof(ledlink), req_length); } else { usb_ack(req_length); } } break; case 0x1e/*GMII_PHYPAGE*/: { printf(" GMII_PHYPAGE\n"); usb_ack(req_length); } break; case 0x1f/*GMII_PHY_PAGE_SELECT*/: { printf(" GMII_PHY_PAGE_SELECT\n"); usb_ack(req_length); } break; default: errx(1, " unknown AX_ACCESS_PHY command 0x%02hhx", control_ev.ctrl.wIndex); } } break; case 0x04/*AX_ACCESS_PHY*/: { unsigned eeprom_idx = (unsigned)control_ev.ctrl.wValue; printf(" AX_ACCESS_EEPROM at 0x%x\n", eeprom_idx); if (is_dir_in) { printf(" EEPROM read\n"); switch (eeprom_idx) { case 0x43: {/* autodetach */ unsigned short autodetach = 0xffff; usb_reply(&autodetach, sizeof(autodetach), req_length); } break; default: errx(1, "unhandled EEPROM offset"); } } else { printf(" ignoring EEPROM write\n"); usb_ack(req_length); } } break; case 0x81: { printf(" 0x81 TX FIFO check\n"); unsigned int tx_fifo_state = 0; usb_reply(&tx_fifo_state, sizeof(tx_fifo_state), req_length); } break; #endif case 0x13/*AX_CMD_READ_NODE_ID*/: { unsigned char mac_addr[] = { 0x00, 0x12, 0x34, 0x56, 0x78, 0x90 }; usb_reply(mac_addr, sizeof(mac_addr), req_length); } break; case 0x21/*AX_CMD_SW_PHY_STATUS*/: case 0x1a/*AX_CMD_READ_MEDIUM_STATUS*/: case 0x0f/*AX_CMD_READ_RX_CTL*/: { usb_reply_zero(req_length); } break; case 0x19/*AX_CMD_READ_PHY_ID*/: { printf(" CMD_READ_PHY_ID\n"); unsigned short phy_id = 1; usb_reply(&phy_id, sizeof(phy_id), req_length); } break; case 0x09/*AX_CMD_STATMNGSTS_REG*/: { printf(" CMD_STATMNGSTS_REG\n"); unsigned char val = 0x01; /* AX_HOST_EN */ usb_reply(&val, sizeof(val), req_length); } break; case 0x07/*AX_CMD_READ_MII_REG*/: { printf(" CMD_READ_MII_REG\n"); /* unsigned char val = 0x01; usb_reply(&val, sizeof(val), req_length); */ switch (control_ev.ctrl.wIndex) { case MII_BMCR: { /* Basic mode control register */ /* idk what any of these flags actually do in detail... */ printf(" MII_BMCR (basic mode control register)\n"); unsigned short bmcr_state = BMCR_SPEED100 | BMCR_FULLDPLX; usb_reply(&bmcr_state, sizeof(bmcr_state), req_length); } break; case MII_BMSR: { /* Basic mode status register */ printf(" MII_BMSR (basic mode status register)\n"); /* say link is initially down */ unsigned short bmsr_state = ((state > 0) ? BMSR_LSTATUS : 0) | BMSR_100FULL; usb_reply(&bmsr_state, sizeof(bmsr_state), req_length); } break; case MII_ADVERTISE: { /* Advertisement control register */ printf(" MII_ADVERTISE\n"); unsigned short adv_state = ADVERTISE_100FULL; usb_reply(&adv_state, sizeof(adv_state), req_length); } break; case MII_LPA: { /* Link partner ability */ printf(" MII_LPA (Link partner ability)\n"); unsigned short lpa_state = LPA_100FULL; usb_reply(&lpa_state, sizeof(lpa_state), req_length); } break; case MII_PHYSID1: case MII_PHYSID2: { printf(" MII_PHYSID\n"); unsigned short physid = 1; usb_reply(&physid, sizeof(physid), req_length); } break; default: errx(1, " unknown READ_MII_REG command 0x%02hhx", control_ev.ctrl.wIndex); } } break; #if 0 case 0x10/*AX_CMD_WRITE_RX_CTL*/: { printf(" CMD_WRITE_RX_CTL = 0x%hx\n", control_ev.ctrl.wIndex); usb_ack(req_length); } break; case 0x16/*AX_CMD_WRITE_MULTI_FILTER*/: { printf(" CMD_WRITE_MULTI_FILTER\n"); usb_ack(req_length); } break; #endif default: if (is_dir_in) { errx(1, "unknown vendor ctrlrequest 0x%02hhx", control_ev.ctrl.bRequest); } else { printf(" ignoring unknown vendor ctrlrequest 0x%02hx\n", control_ev.ctrl.bRequest); usb_ack(req_length); } } break; default: errx(1, "USB_TYPE_* unknown"); } } else { printf("unknown event, type 0x%x\n", (unsigned)control_ev.inner.type); } } } advisory-info.txt Linux USB: usbnet tells minidrivers to unbind while netdev is still up, causing UAFs I've been digging more into the usbnet code, and it's all really brittle. I keep hitting random KASAN splats while I'm just trying to normally bring up drivers (mainly when my fake USB device can't handle some request yet and exits, which results in a USB disconnect, and apparently usbnet tends to blow up a lot in various ways if you disconnect before the device is fully up, at least on a kernel with CONFIG_RCU_STRICT_GRACE_PERIOD=y). One particularly easy-to-trigger bug was introduced by commit 2c9d6c2b871d (\"usbnet: run unbind() before unregister_netdev()\"), first in v5.14. Before that commit, the driver_info->unbind() callback was the last call to the minidriver during USB disconnect, and so one of the things some minidrivers do there is to free memory associated with the device. But after that commit, the semantics of driver_info->unbind() are completely different: It is called at a point where the networking subsystem **has no idea** yet that the device is going down. The netdev might still be up, or in the middle of going up, or going down, or whatever else netdevs do; and so it is still possible that e.g. userspace sends some netlink message that results in a call to the minidriver's ->reset method, and then e.g. aqc111_reset() will try to access its freed dev->driver_priv, and you get UAF. I looked at this more, and it turns out that with another minidriver, you don't even need to race to cause a UAF: Simply disconnecting a USB device when it is currently up will reliably cause a UAF. This is the case with the driver in drivers/net/usb/ax88172a.c (described as \"ASIX AX88172A USB 2.0 Ethernet\"), which is only used for the USB device ID of some demo board, nothing else: /* ASIX 88172a demo board */ USB_DEVICE(0x0b95, 0x172a), .driver_info = (unsigned long) &ax88172a_info, (Even though this driver is only used for talking to some demo board, it is enabled in kconfig together with all the other ASIX devices using kconfig flag CONFIG_USB_NET_AX8817X, which is enabled on many kernels, including Debian, some Android kernels and Chrome OS. Android and Chrome OS are probably not affected by this one though, since they run sufficiently old kernels...) The call graph of how the UAF happens: usbnet_disconnect ax88172a_unbind (as driver_info->unbind) kfree(dev->driver_priv) unregister_netdev unregister_netdevice unregister_netdevice_queue unregister_netdevice_many dev_close_many __dev_close_many usbnet_stop (as ops->ndo_stop) ax88172a_stop (as driver_info->stop) [UAF access to dev->driver_priv] The driver_info->stop() handler tries to access data that was freed in driver_info->unbind(). This makes it pretty clear that the reordering in commit 2c9d6c2b871d broke stuff. I have no clue how to fix all this though. From what I can tell, there are two points during usbnet_disconnect() where the minidriver might want to get a callback: - When ->ndo_close() is invoked by the netdev code; at that point, the netdev is definitely down but hasn't been completely torn down yet. usbnet doesn't currently use ->ndo_open/->ndo_close at all. - In the spot where the driver_info->unbind callback used to happen before commit 2c9d6c2b871d. But I have no clue whether we need one or both of these, and which of the things the current ->unbind callbacks do have to happen at what time. commit 2c9d6c2b871d claims that the current ->unbind callback is too late for the minidriver to disconnect PHY, so I guess that should probably happen in ->ndo_close()? Maybe? This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-05-19. ==== kernel splats and reproduction instructions ==== On a system running a normal Debian experimental kernel (version 5.17.0-rc3-amd64 #1 Debian 5.17~rc3-1~exp1), this also happens. With slub_debug=PF (to make SLUB poison freed memory and do some extra consistency checks to make UAFs easier to see), I get this in dmesg when I attach a fake USB device (over real USB, using a NET2380 USB device-side controller on another machine), wait for a few seconds so that it can be brought up completely, and then disconnect it: [ 138.697877] usb 1-2: new high-speed USB device number 3 using xhci_hcd [ 138.852315] usb 1-2: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice= 0.00 [ 138.856972] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 138.861557] usb 1-2: Product: DUMMY [ 138.866016] usb 1-2: Manufacturer: DUMMY [ 138.870312] usb 1-2: SerialNumber: DUMMY [ 139.403344] asix 1-2:1.0 (unnamed net_device) (uninitialized): registered mdio bus usb-001:003 [ 139.404897] asix 1-2:1.0 eth1: register 'asix' at usb-0000:00:14.0-2, ASIX AX88172A USB 2.0 Ethernet, 00:12:34:56:78:90 [ 139.406292] usbcore: registered new interface driver asix [ 139.408747] usbcore: registered new interface driver cdc_ether [ 139.481399] asix 1-2:1.0 enx001234567890: renamed from eth1 [ 140.150427] asix 1-2:1.0 enx001234567890: Connected to phy usb-001:003:00 [ 149.299153] usb 1-2: USB disconnect, device number 3 [ 149.303077] asix 1-2:1.0 enx001234567890: unregister 'asix' usb-0000:00:14.0-2, ASIX AX88172A USB 2.0 Ethernet [ 149.306775] asix 1-2:1.0 enx001234567890: deregistering mdio bus usb-001:003 [ 149.314206] asix 1-2:1.0 enx001234567890: Disconnecting from phy kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk\\xa5%!LhH\\xf2/\\xa1ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ\\x80\\xe5W\\xe1\\xf9\\x99\\xff\\xff\\xe0#\u0561\\xff\\xff\\xff\\xff\\x80t\\xf0\\xc0\\xff\\xff\\xff\\xff\\x98XW\\x82\\xf9\\x99\\xff\\xff\\x80\\xb9[\\xe1\\xf9\\x99\\xff\\xff [ 149.315731] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6f43: 0000 [#1] PREEMPT SMP PTI [ 149.317234] CPU: 4 PID: 105 Comm: kworker/4:1 Tainted: G E 5.17.0-rc3-amd64 #1 Debian 5.17~rc3-1~exp1 [ 149.318815] Hardware name: [...] [ 149.320214] Workqueue: usb_hub_wq hub_event [usbcore] [ 149.321030] RIP: 0010:phy_stop+0x9/0xf0 [libphy] [ 149.321835] Code: 02 e0 eb d4 48 8b 0c dd 20 ed b9 c0 e9 33 ff ff ff 4c 89 f7 e8 68 a3 fa df eb c6 e8 11 ff 1a e0 90 0f 1f 44 00 00 41 54 55 53 <8b> 87 d8 03 00 00 4c 8b a7 28 05 00 00 8d 50 ff 83 fa 01 0f 86 af [ 149.322714] RSP: 0018:ffffb68a807efa58 EFLAGS: 00010246 [ 149.323560] RAX: 0000000000000000 RBX: ffff99f9e168e980 RCX: 0000000000000000 [ 149.324405] RDX: ffffb68a807efa08 RSI: ffffffffa15526f6 RDI: 6b6b6b6b6b6b6b6b [ 149.325251] RBP: ffff99f9e15bbb80 R08: 0000000000000000 R09: ffffb68a807ef758 [ 149.326128] R10: ffffb68a807ef750 R11: ffffffffa1cd1568 R12: 0000000000000000 [ 149.326965] R13: ffff99f9e168e980 R14: ffffb68a807efad0 R15: ffffb68a807efba0 [ 149.327800] FS: 0000000000000000(0000) GS:ffff99fc8f700000(0000) knlGS:0000000000000000 [ 149.328641] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 149.329482] CR2: 00007fc2351ba6f4 CR3: 00000002fb410001 CR4: 00000000001706e0 [ 149.330352] Call Trace: [ 149.331198] <TASK> [ 149.332030] ax88172a_stop.cold+0x20/0x2e [asix] [ 149.332857] usbnet_stop+0x64/0x140 [usbnet] [ 149.333676] __dev_close_many+0x9e/0x110 [ 149.334512] dev_close_many+0x8b/0x140 [ 149.335295] ? __slab_free+0xa0/0x330 [ 149.336059] unregister_netdevice_many+0x158/0x740 [ 149.336816] ? kfree+0x218/0x250 [ 149.337573] unregister_netdevice_queue+0xcb/0x110 [ 149.338361] unregister_netdev+0x18/0x20 [ 149.339112] usbnet_disconnect+0x59/0xb0 [usbnet] [ 149.339864] usb_unbind_interface+0x8a/0x270 [usbcore] [ 149.340616] __device_release_driver+0x22d/0x240 [ 149.341358] device_release_driver+0x24/0x30 [ 149.342112] bus_remove_device+0xd8/0x140 [ 149.342840] device_del+0x18b/0x3f0 [ 149.343573] ? kobject_put+0x91/0x1d0 [ 149.344307] usb_disable_device+0xc6/0x1e0 [usbcore] [ 149.345056] usb_disconnect.cold+0x7b/0x24d [usbcore] [ 149.345802] hub_event+0xc4c/0x1880 [usbcore] [ 149.346571] ? preempt_count_sub+0x81/0x90 [ 149.347313] process_one_work+0x1e5/0x3b0 [ 149.348055] ? rescuer_thread+0x370/0x370 [ 149.348795] worker_thread+0x50/0x3a0 [ 149.349531] ? rescuer_thread+0x370/0x370 [ 149.350292] kthread+0xe7/0x110 [ 149.351030] ? kthread_complete_and_exit+0x20/0x20 [ 149.351771] ret_from_fork+0x22/0x30 [ 149.352504] </TASK> [ 149.353234] Modules linked in: cdc_ether(E) asix(E) selftests(E) usbnet(E) mii(E) nfnetlink(E) rfkill(E) zstd(E) zstd_compress(E) zram(E) zsmalloc(E) intel_rapl_msr(E) intel_rapl_common(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) nls_ascii(E) nls_cp437(E) vfat(E) snd_hda_codec_realtek(E) kvm_intel(E) fat(E) snd_hda_codec_generic(E) snd_hda_codec_hdmi(E) ledtrig_audio(E) kvm(E) irqbypass(E) snd_hda_intel(E) crc32_pclmul(E) snd_intel_dspcfg(E) snd_intel_sdw_acpi(E) snd_hda_codec(E) iTCO_wdt(E) intel_pmc_bxt(E) iTCO_vendor_support(E) snd_hda_core(E) at24(E) mei_hdcp(E) watchdog(E) ghash_clmulni_intel(E) snd_hwdep(E) snd_pcm_oss(E) snd_mixer_oss(E) rapl(E) r8169(E) intel_cstate(E) intel_uncore(E) efi_pstore(E) pcspkr(E) realtek(E) snd_pcm(E) mdio_devres(E) i2c_i801(E) snd_timer(E) mei_me(E) i2c_smbus(E) snd(E) ehci_pci(E) sg(E) libphy(E) soundcore(E) ehci_hcd(E) mei(E) lpc_ich(E) button(E) msr(E) parport_pc(E) ppdev(E) parport(E) fuse(E) configfs(E) efivarfs(E) ip_tables(E) [ 149.353267] x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) dm_crypt(E) dm_mod(E) raid10(E) raid456(E) libcrc32c(E) crc32c_generic(E) async_raid6_recov(E) async_memcpy(E) async_pq(E) async_xor(E) xor(E) async_tx(E) raid6_pq(E) raid1(E) raid0(E) multipath(E) linear(E) md_mod(E) hid_generic(E) usbhid(E) hid(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) crct10dif_pclmul(E) crct10dif_common(E) evdev(E) crc32c_intel(E) i915(E) i2c_algo_bit(E) ahci(E) xhci_pci(E) libahci(E) drm_kms_helper(E) xhci_hcd(E) cec(E) rc_core(E) libata(E) ttm(E) aesni_intel(E) crypto_simd(E) usbcore(E) scsi_mod(E) cryptd(E) scsi_common(E) drm(E) usb_common(E) video(E) [ 149.360796] ---[ end trace 0000000000000000 ]--- [ 149.362505] ------------[ cut here ]------------ In my test VM with a bunch of kernel debugging enabled, I get this KASAN splat (shown here without guess frames) when I attach the same fake USB device through an emulated HCD: BUG: KASAN: use-after-free in ax88172a_stop+0xab/0xc0 Read of size 8 at addr ffff88800c684e48 by task kworker/0:2/33 CPU: 0 PID: 33 Comm: kworker/0:2 Not tainted 5.17.0-rc4-00054-gf71077a4d84b #949 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 kasan_report.cold+0x7f/0x11b ax88172a_stop+0xab/0xc0 usbnet_stop+0x13d/0x390 __dev_close_many+0x18c/0x290 dev_close_many+0x18a/0x3f0 unregister_netdevice_many+0x2f8/0x1420 unregister_netdevice_queue+0x1dc/0x280 unregister_netdev+0x18/0x20 usbnet_disconnect+0x118/0x260 usb_unbind_interface+0x182/0x7e0 __device_release_driver+0x531/0x670 device_release_driver+0x26/0x40 bus_remove_device+0x2ae/0x570 device_del+0x490/0xb50 usb_disable_device+0x294/0x600 usb_disconnect.cold+0x1fb/0x68b hub_event+0x1472/0x39d0 process_one_work+0x91d/0x15d0 worker_thread+0x57b/0x1240 kthread+0x2a5/0x350 ret_from_fork+0x22/0x30 </TASK> Allocated by task 33: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 ax88172a_bind+0x95/0x7b0 usbnet_probe+0xa62/0x2370 usb_probe_interface+0x27d/0x760 really_probe+0x475/0xbd0 __driver_probe_device+0x18f/0x470 driver_probe_device+0x49/0x120 __device_attach_driver+0x199/0x250 bus_for_each_drv+0x125/0x1b0 __device_attach+0x1e0/0x3d0 bus_probe_device+0x1a5/0x260 device_add+0x971/0x1a70 usb_set_configuration+0x92b/0x1600 usb_generic_driver_probe+0x79/0xa0 usb_probe_device+0xab/0x250 really_probe+0x475/0xbd0 __driver_probe_device+0x18f/0x470 driver_probe_device+0x49/0x120 __device_attach_driver+0x199/0x250 bus_for_each_drv+0x125/0x1b0 __device_attach+0x1e0/0x3d0 bus_probe_device+0x1a5/0x260 device_add+0x971/0x1a70 usb_new_device.cold+0x47d/0xb88 hub_event+0x20c7/0x39d0 process_one_work+0x91d/0x15d0 worker_thread+0x57b/0x1240 kthread+0x2a5/0x350 ret_from_fork+0x22/0x30 Freed by task 33: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0xe0/0x110 kfree+0xa5/0x2b0 usbnet_disconnect+0xe7/0x260 usb_unbind_interface+0x182/0x7e0 __device_release_driver+0x531/0x670 device_release_driver+0x26/0x40 bus_remove_device+0x2ae/0x570 device_del+0x490/0xb50 usb_disable_device+0x294/0x600 usb_disconnect.cold+0x1fb/0x68b hub_event+0x1472/0x39d0 process_one_work+0x91d/0x15d0 worker_thread+0x57b/0x1240 kthread+0x2a5/0x350 ret_from_fork+0x22/0x30 If you want to test this yourself, you can use the USB raw gadget (https://www.kernel.org/doc/html/latest/usb/raw-gadget.html) with dummy_hcd. Compile the attached testcase, then run it as \"./usb-ax88172a dummy_udc dummy_udc.0\", wait a few seconds for the device to come up, and press CTRL+C to trigger USB disconnect. This requires CONFIG_USB_DUMMY_HCD=y and CONFIG_USB_RAW_GADGET=y. Found by: jannh@google.com Source
    1 point
  4. Am niste "dubii" vreau sa ma joc cu el, din ce am aflat cca. 90% cred ca sunt informatii reale, nu masini de cusut...
    1 point
  5. @Kevce faci cu el? Ca e pe 2g si te sparg la securitate pe partea de carrier... Cred ca se pot seta chei de criptare pe telefoanele astea? Cand eram mic (2001) a gasit un var un telefon din asta si m-am uitat si eu pana sa il returneze. Nu avea meniuri directe. Poate tot asa, coduri secrete. Stiu ca avea jocul tennis :))) mersi.
    1 point
  6. lol, ce post :)))))) 🚨 https://www.olx.ro/d/oferta/nokia-8110i-matrix-IDgUkUr.html
    1 point
  7. VMware și-a avertizat clienții cu privire la o vulnerabilitate critică prezentă în mai multe dintre produsele sale, inclusiv Workspace One Access și Identity Manager, care ar putea permite hackerilor să preia controlul mașinilor vulnerabile. Defecțiunea bazata pe "code execution", urmărită ca CVE-2020-4006 și evaluată cu 9,1 pe scara de severitate a amenințărilor CVSS, poate fi exploatată într-o serie de produse VMware, a avertizat compania. În prezent nu există niciun patch disponibil, deși firma a emis o soluție care poate fi aplicată în unele cazuri. De asemenea, nu se menționează dacă defectul este exploatat activ în natură sau nu. Hackerii înarmați cu acces la rețea la configuratorul administrativ de pe portul 8443 și o parolă validă pentru contul de administrator pot exploata eroarea pentru a executa comenzi cu privilegii nerestricționate pe sistemul de operare (OS) subiacent. Serviciile afectate sunt: - VMware Workspace - Cloud Foundation, - vRealize Suite Lifecycle Manager. - Workspace One Access Connector, - One Access, VMware Workspace One Access 20.10 (Linux) VMware Workspace One Access 20.01 (Linux) - Identity Manager, VMware Identity Manager 3.3.1 up to 3.3.3 (Linux) - Identity Manager Connector, VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux) VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows) Vulnerabilitatea poate fi exploatată în unele produse găzduite pe Linux, dar nu și pe Windows dar și în alte sisteme de operare. Detaliile complete despre configurațiile software și OS afectate sunt prezentate în recomandările de securitate ale VMware. Până la lansarea unui patch, VMware a prezentat o soluție care poate fi aplicată unor linii de produse, dar nu tuturor. Clienții care utilizează Workspace One Access, VMware Identity Manager și VMware Identity Manager Connector pot urma pașii detaliați prezentați aici, pentru configuratorul găzduit pe portul 8443. Aceasta implică executarea unui set de comenzi pentru toate produsele afectate. Soluția de soluționare nu este compatibilă cu alte produse dincolo de cele trei care ar putea fi afectate, iar clienții vor trebui să stea cu ochii deschiși pentru orice noutati despre un patch la momentul lansării unuia. Știrile despre această vulnerabilitate au sosit la doar câteva zile după ce VMware a confirmat două defecte critice în produsele sale ESXi, Workstation, Fusion și Cloud Foundation. Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004)
    1 point
×
×
  • Create New...