From: Gerald Lee <sundaywind2004@gmail.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: linux-usb@vger.kernel.org
Subject: Re: usb: A use-after-free Write in put_dev
Date: Tue, 13 Dec 2022 09:02:53 +0800 [thread overview]
Message-ID: <CAO3qeMWZLEJeKg4B6p6g=AHecexQ9iPBXttujzbvHz-hRGwQjg@mail.gmail.com> (raw)
In-Reply-To: <Y5dV11OoM3ojxNHy@rowland.harvard.edu>
Hi Alan,
I've tested this patch. It resolves the problem.
Thanks.
On Tue, Dec 13, 2022 at 12:24 AM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Mon, Dec 12, 2022 at 04:07:43PM +0800, Gerald Lee wrote:
> > Hi, all
> >
> > I found a vulnerability when fuzzing linux kernel by syzkaller. The
> > KASAN reports that use-after-free Write in put_dev. Then I tried to
> > reproduce and got the C source file. I compiled it and executed the
> > binary program, but the kernel crashed as expected. This vulnerability
> > could be used to LPE as UAF, I thought.
>
> I think this use-after-free violation is caused by a race among the
> superblock operations in the gadgetfs driver. Please try running your
> test after applying the patch below, to see if it fixes the problem.
>
> Alan Stern
>
>
> --- usb-devel.orig/drivers/usb/gadget/legacy/inode.c
> +++ usb-devel/drivers/usb/gadget/legacy/inode.c
> @@ -229,6 +229,7 @@ static void put_ep (struct ep_data *data
> */
>
> static const char *CHIP;
> +static DEFINE_MUTEX(sb_mutex); /* Serialize superblock maintenance */
>
> /*----------------------------------------------------------------------*/
>
> @@ -2010,13 +2011,20 @@ gadgetfs_fill_super (struct super_block
> {
> struct inode *inode;
> struct dev_data *dev;
> + int rc;
>
> - if (the_device)
> - return -ESRCH;
> + mutex_lock(&sb_mutex);
> +
> + if (the_device) {
> + rc = -ESRCH;
> + goto Done;
> + }
>
> CHIP = usb_get_gadget_udc_name();
> - if (!CHIP)
> - return -ENODEV;
> + if (!CHIP) {
> + rc = -ENODEV;
> + goto Done;
> + }
>
> /* superblock */
> sb->s_blocksize = PAGE_SIZE;
> @@ -2053,13 +2061,17 @@ gadgetfs_fill_super (struct super_block
> * from binding to a controller.
> */
> the_device = dev;
> - return 0;
> + rc = 0;
> + goto Done;
>
> -Enomem:
> + Enomem:
> kfree(CHIP);
> CHIP = NULL;
> + rc = -ENOMEM;
>
> - return -ENOMEM;
> + Done:
> + mutex_unlock(&sb_mutex);
> + return rc;
> }
>
> /* "mount -t gadgetfs path /dev/gadget" ends up here */
> @@ -2081,6 +2093,7 @@ static int gadgetfs_init_fs_context(stru
> static void
> gadgetfs_kill_sb (struct super_block *sb)
> {
> + mutex_lock(&sb_mutex);
> kill_litter_super (sb);
> if (the_device) {
> put_dev (the_device);
> @@ -2088,6 +2101,7 @@ gadgetfs_kill_sb (struct super_block *sb
> }
> kfree(CHIP);
> CHIP = NULL;
> + mutex_unlock(&sb_mutex);
> }
>
> /*----------------------------------------------------------------------*/
next prev parent reply other threads:[~2022-12-13 1:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-12 8:07 usb: A use-after-free Write in put_dev Gerald Lee
2022-12-12 16:24 ` Alan Stern
2022-12-13 1:02 ` Gerald Lee [this message]
2023-01-15 16:30 ` Salvatore Bonaccorso
2023-01-15 16:57 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAO3qeMWZLEJeKg4B6p6g=AHecexQ9iPBXttujzbvHz-hRGwQjg@mail.gmail.com' \
--to=sundaywind2004@gmail.com \
--cc=linux-usb@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).