Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible race condition in usb_hid #53

Open
lainy opened this issue Sep 9, 2020 · 2 comments
Open

Possible race condition in usb_hid #53

lainy opened this issue Sep 9, 2020 · 2 comments
Assignees
@szszszsz
Labels
bug Something isn't working test Needs retesting
Milestone
Version 2.3

Comments

@lainy
Copy link

lainy commented Sep 9, 2020

While looking through the code I found a possible race condition in usbd_hid.c:

void usb_hid_recieve_callback(uint8_t ep)
{
    fifo_hidmsg_add(hidmsg_buf);
    memset(hidmsg_buf,0,64);
    USBD_LL_PrepareReceive(&Solo_USBD_Device,
            HID_ENDPOINT,
            hidmsg_buf,
            HID_PACKET_SIZE);
}

The above fifo_hidmsg_add is ultimately called from USB_IRQHandler which seems to run directly from interrupt context (see startup_stm32l432xx.s).
However, as best I can tell (FIFO functions defined here), neither fifo_hidmsg_add nor fifo_hidmsg_take (or its usage in the code) are guarding against interrupts.

Posting as an issue because I do not believe this represents a security vulnerability, but if a HID request comes in while fifo_hidmsg_take is running, I suspect it will bork the FIFO state.
@szszszsz szszszsz added this to the Version 2.2 milestone Sep 9, 2020
@szszszsz szszszsz added the investigate Reproduce the failing scenario and find the cause label Sep 9, 2020
@szszszsz
Copy link
Member

szszszsz commented Sep 9, 2020

Hi!
Thank you for the report! Looks interesting - will check it next week.

@szszszsz szszszsz self-assigned this Sep 9, 2020
@szszszsz szszszsz changed the title Possible race condition? Possible race condition in usb_hid Sep 9, 2020
szszszsz added a commit that referenced this issue Sep 23, 2020
@szszszsz
Add defensive code against possible FIFO race condition
3f10085 
Fixes #53
@szszszsz
Copy link
Member

Indeed it seems, that _add could be fired while executing _take. Added IRQ global handling. To be tested.

@szszszsz szszszsz added bug Something isn't working test Needs retesting and removed investigate Reproduce the failing scenario and find the cause labels Sep 23, 2020
@szszszsz szszszsz modified the milestones: Version 2.2, Version 2.3 Sep 23, 2020
@szszszsz szszszsz mentioned this issue Sep 28, 2020
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@szszszsz szszszsz

Labels
bug Something isn't working test Needs retesting
Projects
None yet
Milestone
Version 2.3
Development

No branches or pull requests
2 participants
@lainy @szszszsz