Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
From: Oliver Neukum <oneukum@suse.com>
To: Alan Stern <stern@rowland.harvard.edu>,
	Andrey Konovalov <andreyknvl@google.com>
Cc: syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	syzbot <syzbot+1b2449b7b5dc240d107a@syzkaller.appspotmail.com>,
	LKML <linux-kernel@vger.kernel.org>,
	USB list <linux-usb@vger.kernel.org>
Subject: Re: KASAN: use-after-free Read in device_release_driver_internal
Date: Tue, 06 Aug 2019 14:36:51 +0200
Message-ID: <1565095011.8136.20.camel@suse.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1908011359580.1305-100000@iolanthe.rowland.org>

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

Am Donnerstag, den 01.08.2019, 14:47 -0400 schrieb Alan Stern:
> 
> I think this must be caused by an unbalanced refcount.  That is,
> something must drop one more reference to the device than it takes.
> That would explain why the invalid access occurs inside a single
> bus_remove_device() call, between the klist_del() and
> device_release_driver().
> 
> The kernel log indicates that the device was probed by rndis_wlan,
> rndis_host, and cdc_acm, all of which got errors because of the
> device's bogus descriptors.  Probably one of them is messing up the
> refcount.

Hi,

you made me look at cdc-acm. I suspect

cae2bc768d176bfbdad7035bbcc3cdc973eb7984 ("usb: cdc-acm: Decrement tty port's refcount if probe() fail")

is buggy decrementing the refcount on the interface in destroy()
even before the refcount is increased.

Unfortunately I cannot tell from the bug report how many and which
interfaces the emulated test device has. Hence it is unclear to me,
when exactly probe() would fail cdc-acm.

If you agree. I am attaching a putative fix.

	Regards
		Oliver

[-- Attachment #2: 0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch --]
[-- Type: text/x-patch, Size: 1751 bytes --]

From 6b31904e6cf75f89441e308b9e428a1de7728fd8 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 6 Aug 2019 14:34:27 +0200
Subject: [PATCH] usb: cdc-acm: make sure a refcount is taken early enough

destroy() will decrement the refcount on the interface, so that
it needs to be taken so early that it never undercounts.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/class/cdc-acm.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 183b41753c98..28e3de775ada 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1301,10 +1301,6 @@ static int acm_probe(struct usb_interface *intf,
 	tty_port_init(&acm->port);
 	acm->port.ops = &acm_port_ops;
 
-	minor = acm_alloc_minor(acm);
-	if (minor < 0)
-		goto alloc_fail1;
-
 	ctrlsize = usb_endpoint_maxp(epctrl);
 	readsize = usb_endpoint_maxp(epread) *
 				(quirks == SINGLE_RX_URB ? 1 : 2);
@@ -1312,6 +1308,13 @@ static int acm_probe(struct usb_interface *intf,
 	acm->writesize = usb_endpoint_maxp(epwrite) * 20;
 	acm->control = control_interface;
 	acm->data = data_interface;
+
+	usb_get_intf(acm->control); /* undone in destroy() */
+
+	minor = acm_alloc_minor(acm);
+	if (minor < 0)
+		goto alloc_fail1;
+
 	acm->minor = minor;
 	acm->dev = usb_dev;
 	if (h.usb_cdc_acm_descriptor)
@@ -1458,7 +1461,6 @@ static int acm_probe(struct usb_interface *intf,
 	usb_driver_claim_interface(&acm_driver, data_interface, acm);
 	usb_set_intfdata(data_interface, acm);
 
-	usb_get_intf(control_interface);
 	tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
 			&control_interface->dev);
 	if (IS_ERR(tty_dev)) {
-- 
2.16.4


  reply index

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-23 14:28 syzbot
2019-08-01 16:01 ` Andrey Konovalov
2019-08-01 18:47   ` Alan Stern
2019-08-06 12:36     ` Oliver Neukum [this message]
2019-08-06 12:50       ` Andrey Konovalov
2019-08-07 13:38         ` Oliver Neukum
2019-08-07 13:44           ` Andrey Konovalov
2019-08-07 13:44             ` Andrey Konovalov
2019-08-07 13:45               ` Andrey Konovalov
2019-08-07 14:13                 ` syzbot
2019-08-07 13:56               ` syzbot
2019-08-07 17:40                 ` Alan Stern
2019-08-07 17:51                   ` syzbot
2019-08-07 18:05                     ` Alan Stern
2019-08-07 18:23                       ` syzbot
2019-08-07 18:31                         ` Alan Stern
2019-08-08 12:27                           ` Andrey Konovalov
2019-08-08 12:43                             ` Dmitry Vyukov
2019-08-08 13:03                               ` Andrey Konovalov
2019-08-08 13:59                                 ` Alan Stern
2019-08-13 12:42                                   ` Andrey Konovalov
2019-08-13 13:22                                     ` Oliver Neukum
2019-08-13 13:24                                       ` Andrey Konovalov
2019-08-13 15:16                                       ` Greg KH
2019-08-13 13:59               ` Andrey Konovalov
2019-08-06 14:19       ` Alan Stern
2019-08-06 14:25         ` Oliver Neukum
2019-08-06 15:33         ` Oliver Neukum
2019-08-07 13:46           ` Andrey Konovalov

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1565095011.8136.20.camel@suse.com \
    --to=oneukum@suse.com \
    --cc=andreyknvl@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+1b2449b7b5dc240d107a@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org linux-usb@archiver.kernel.org
	public-inbox-index linux-usb


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/ public-inbox