From: Alan Stern <stern@rowland.harvard.edu>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
<mathias.nyman@linux.intel.com>, <baoyou.xie@linaro.org>,
<peter.chen@nxp.com>, <wulf@rock-chips.com>,
<wsa-dev@sang-engineering.com>, <javier@osg.samsung.com>,
<chris.bainbridge@gmail.com>,
USB list <linux-usb@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: usb: use-after-free write in usb_hcd_link_urb_to_ep
Date: Thu, 23 Mar 2017 10:34:11 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1703231017500.1558-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <CACT4Y+Y_EUwB_e=0Ot2uMX=-cvyi9DyBso=h+X9EJsamr4x7WQ@mail.gmail.com>
On Thu, 23 Mar 2017, Dmitry Vyukov wrote:
> Hello,
>
> I've got the following report while running syzkaller fuzzer on
> 093b995e3b55a0ae0670226ddfcb05bfbf0099ae. Not the preceding injected
> kmalloc failure, most likely it's the root cause.
I find this bug report puzzling. Maybe I don't understand it
correctly -- it appears that the so-called use-after-free actually
occurs _before_ the memory is deallocated!
> FAULT_INJECTION: forcing a failure.
Skipping this part. Is it relevant? It seems to refer to a different
memory buffer.
> ==================================================================
> BUG: KASAN: use-after-free in __list_add_valid+0xc6/0xd0
> lib/list_debug.c:26 at addr ffff88003c377a20
> Read of size 8 by task syz-executor7/3348
> CPU: 3 PID: 3348 Comm: syz-executor7 Not tainted 4.11.0-rc3+ #364
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
Here are the revelant pieces of the stack traces. Everything below
these parts is the same, and everything above them is unimportant.
(And everything happened in the same process.) The use-after-free
access occurred within this call:
> usb_start_wait_urb+0x135/0x320 drivers/usb/core/message.c:56
> usb_internal_control_msg drivers/usb/core/message.c:100 [inline]
Here's where the allocation call occurred:
> Allocated:
> PID = 3348
...
> usb_internal_control_msg drivers/usb/core/message.c:93 [inline]
And here's where the buffer was deallocated:
> Freed:
> PID = 3348
...
> usb_start_wait_urb+0x234/0x320 drivers/usb/core/message.c:78
> usb_internal_control_msg drivers/usb/core/message.c:100 [inline]
Putting these together:
The memory was allocated in usb_internal_control_msg() line 93.
The later events occurred within the call in line 100 to
usb_start_wait_urb().
The invalid access occurred within usb_start_wait_urb() line 56.
The memory was deallocated within usb_start_wait_urb() line 78.
Since these routines don't involve any loops or backward jumps, this
says that the invalid access occurred before the memory was
deallocated! So why is it reported as a problem?
Alan
next prev parent reply other threads:[~2017-03-23 14:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-23 12:17 usb: use-after-free write in usb_hcd_link_urb_to_ep Dmitry Vyukov
2017-03-23 14:34 ` Alan Stern [this message]
2017-03-23 14:39 ` Dmitry Vyukov
2017-03-23 15:04 ` Alan Stern
2017-03-23 15:22 ` Dmitry Vyukov
2017-03-24 10:32 ` Dmitry Vyukov
2017-03-24 14:27 ` Alan Stern
2017-03-24 17:11 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44L0.1703231017500.1558-100000@iolanthe.rowland.org \
--to=stern@rowland.harvard.edu \
--cc=baoyou.xie@linaro.org \
--cc=chris.bainbridge@gmail.com \
--cc=dvyukov@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=javier@osg.samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@linux.intel.com \
--cc=peter.chen@nxp.com \
--cc=syzkaller@googlegroups.com \
--cc=wsa-dev@sang-engineering.com \
--cc=wulf@rock-chips.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.