All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ulf Hansson <ulf.hansson@linaro.org>
To: Tong Zhang <ztong0001@gmail.com>
Cc: Maxim Levitsky <maximlevitsky@gmail.com>,
	Alex Dubov <oakad@yahoo.com>,
	linux-mmc <linux-mmc@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] memstick: rtsx_usb_ms: fix UAF
Date: Tue, 11 May 2021 12:39:46 +0200	[thread overview]
Message-ID: <CAPDyKFrFGo9gmG+EH2hS4oXPn5Jx9v8Pk8jKgvm9KW4Mdk+85A@mail.gmail.com> (raw)
In-Reply-To: <20210509215416.950337-1-ztong0001@gmail.com>

On Sun, 9 May 2021 at 23:54, Tong Zhang <ztong0001@gmail.com> wrote:
>
> This patch fixes the following issues:
> 1. memstick_free_host() will free the host, so the use of ms_dev(host) after
> it will be a problem. To fix this, move memstick_free_host() after when we
> are done with ms_dev(host).
> 2. if something bad happens in memstick_add_host() and we end up taking
> err_out in rtsx_usb_ms_drv_probe(), we'd better avoid running rtsx_usb_ms_drv_remove()

If the ->probe() function returns a negative error code, the driver
core will not invoke the corresponding ->remove() callback.

Looks like you may want to double check that ->probe() doesn't return
0, even in case of failure.

> 3. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove
> and free host otherwise memstick_check will be called and UAF will
> happen.
>
> [   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]
> [   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]
> [   11.357376]  platform_remove+0x2a/0x50
> [   11.367531] Freed by task 298:
> [   11.368537]  kfree+0xa4/0x2a0
> [   11.368711]  device_release+0x51/0xe0
> [   11.368905]  kobject_put+0xa2/0x120
> [   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]
> [   11.369386]  platform_remove+0x2a/0x50
>
> [   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0
> [   12.045432]  mutex_lock+0xc9/0xd0
> [   12.046080]  memstick_check+0x6a/0x578 [memstick]
> [   12.046509]  process_one_work+0x46d/0x750
> [   12.052107] Freed by task 297:
> [   12.053115]  kfree+0xa4/0x2a0
> [   12.053272]  device_release+0x51/0xe0
> [   12.053463]  kobject_put+0xa2/0x120
> [   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]
> [   12.053939]  platform_remove+0x2a/0x50
>
> Signed-off-by: Tong Zhang <ztong0001@gmail.com>
> ---
>  drivers/memstick/host/rtsx_usb_ms.c | 13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/memstick/host/rtsx_usb_ms.c b/drivers/memstick/host/rtsx_usb_ms.c
> index 102dbb8080da..851643d007b7 100644
> --- a/drivers/memstick/host/rtsx_usb_ms.c
> +++ b/drivers/memstick/host/rtsx_usb_ms.c
> @@ -799,9 +799,10 @@ static int rtsx_usb_ms_drv_probe(struct platform_device *pdev)
>
>         return 0;
>  err_out:
> -       memstick_free_host(msh);
>         pm_runtime_disable(ms_dev(host));
>         pm_runtime_put_noidle(ms_dev(host));
> +       memstick_free_host(msh);
> +       platform_set_drvdata(pdev, NULL);
>         return err;
>  }
>
> @@ -811,6 +812,8 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev)
>         struct memstick_host *msh = host->msh;
>         int err;
>
> +       if (!host)
> +               return 0;

According to my comment above. You should not reach this point, unless
->probe() was successful and returned 0.

>         host->eject = true;
>         cancel_work_sync(&host->handle_req);
>
> @@ -828,9 +831,6 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev)
>         }
>         mutex_unlock(&host->host_mutex);
>
> -       memstick_remove_host(msh);
> -       memstick_free_host(msh);
> -
>         /* Balance possible unbalanced usage count
>          * e.g. unconditional module removal
>          */
> @@ -838,10 +838,11 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev)
>                 pm_runtime_put(ms_dev(host));
>
>         pm_runtime_disable(ms_dev(host));
> -       platform_set_drvdata(pdev, NULL);
> -
> +       memstick_remove_host(msh);
>         dev_dbg(ms_dev(host),
>                 ": Realtek USB Memstick controller has been removed\n");
> +       memstick_free_host(msh);
> +       platform_set_drvdata(pdev, NULL);
>
>         return 0;
>  }
> --
> 2.25.1
>

Besides the above, the change looks reasonable to me.

Kind regards
Uffe

  reply	other threads:[~2021-05-11 10:40 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-09 21:54 [PATCH] memstick: rtsx_usb_ms: fix UAF Tong Zhang
2021-05-11 10:39 ` Ulf Hansson [this message]
2021-05-11 16:39   ` [PATCH v2] " Tong Zhang
2021-05-24 14:10     ` Ulf Hansson
2021-05-11 16:41   ` [PATCH] " Tong Zhang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAPDyKFrFGo9gmG+EH2hS4oXPn5Jx9v8Pk8jKgvm9KW4Mdk+85A@mail.gmail.com \
    --to=ulf.hansson@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mmc@vger.kernel.org \
    --cc=maximlevitsky@gmail.com \
    --cc=oakad@yahoo.com \
    --cc=ztong0001@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.