New issue
Advanced search Search tips

Issue 852099 link

Starred by 1 user
Status: WontFix
Owner:
odejesush@chromium.org
Closed: Jun 2018
Cc:
reillyg@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug


Show other hotlists

Hotlists containing this issue:
Hotlist-1


Sign in to add a comment

Unclaimed USB devices can still have data sent when control transfers.

Project Member Reported by odejesush@chromium.org, Jun 12 2018 
Chrome Version: 67.0.3396.79 (Official Build) (64-bit)
OS: Linux (most likely present on other OSes)

What steps will reproduce the problem?
(1) Navigate to https://sowbug.github.io/weblight/ in two different tabs
(2) Connect a WebLight device and grant the site permission to access it in one window. The connected device will be listed on the page.
(3) In the other window, either grant the site permission to access the device or refresh the page. The connected device should be listed on the page.
(4) Pick a color in the other window, and the WebLight will change color even though it was not able to claim the interface successfully (The console has an Uncaught (in promise) DOMException).

What is the expected result?
The window that failed to claim the interface should not be able to control the USB device.

What happens instead?
The window that failed to claim the interface is able to control the USB device using controlTransferOut.

Comment 1 by reillyg@chromium.org, Jun 13 2018

Owner: odejesush@chromium.org
Status: Assigned (was: Untriaged)
This is working as intended except that there are interactions with protected interface classes that mean we should be careful about allowing control transfers without any interfaces claimed.

Comment 2 by odejesush@chromium.org, Jun 19 2018

Status: WontFix (was: Assigned)
It looks like we already check if interfaces are claimed, even if they are not protected interface classes.

In USBDevice::claimInterface, there is a check if the given |interface_number| is a protected interface class. If it is, then we reject with a SecurityError, and the message "The requested interface implements a protected class."
https://cs.chromium.org/chromium/src/third_party/blink/renderer/modules/webusb/usb_device.cc?l=237

In USBDevice::controlTransfer{In,Out}, the given USBControlTransferParameters are converted using ConvertControlTransferParameters(). This function uses EnsureInterfaceClaimed and returns a nullptr if the interface is not claimed.
https://cs.chromium.org/chromium/src/third_party/blink/renderer/modules/webusb/usb_device.cc?l=663

The Weblight project uses a requestType of "vendor" and a recipient of "device". I'll close it as WontFix, since it is indeed working as intended.

Sign in to add a comment