linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Salvatore Bonaccorso <carnil@debian.org>
To: Gerald Lee <sundaywind2004@gmail.com>
Cc: Alan Stern <stern@rowland.harvard.edu>, linux-usb@vger.kernel.org
Subject: Re: usb: A use-after-free Write in put_dev
Date: Sun, 15 Jan 2023 17:30:58 +0100	[thread overview]
Message-ID: <Y8QqQiJfLH8gwsOH@eldamar.lan> (raw)
In-Reply-To: <CAO3qeMWZLEJeKg4B6p6g=AHecexQ9iPBXttujzbvHz-hRGwQjg@mail.gmail.com>

Hi,

On Tue, Dec 13, 2022 at 09:02:53AM +0800, Gerald Lee wrote:
> Hi Alan,
> 
> I've tested this patch. It resolves the problem.
> 
> Thanks.
> 
> 
> On Tue, Dec 13, 2022 at 12:24 AM Alan Stern <stern@rowland.harvard.edu> wrote:
> >
> > On Mon, Dec 12, 2022 at 04:07:43PM +0800, Gerald Lee wrote:
> > > Hi, all
> > >
> > > I found a vulnerability when fuzzing linux kernel by syzkaller. The
> > > KASAN reports that use-after-free Write in put_dev. Then I tried to
> > > reproduce and got the C source file. I compiled it and executed the
> > > binary program, but the kernel crashed as expected. This vulnerability
> > > could be used to LPE as UAF, I thought.
> >
> > I think this use-after-free violation is caused by a race among the
> > superblock operations in the gadgetfs driver.  Please try running your
> > test after applying the patch below, to see if it fixes the problem.
> >
> > Alan Stern
> >
> >
> > --- usb-devel.orig/drivers/usb/gadget/legacy/inode.c
> > +++ usb-devel/drivers/usb/gadget/legacy/inode.c
> > @@ -229,6 +229,7 @@ static void put_ep (struct ep_data *data
> >   */
> >
> >  static const char *CHIP;
> > +static DEFINE_MUTEX(sb_mutex);         /* Serialize superblock maintenance */
> >
> >  /*----------------------------------------------------------------------*/
> >
> > @@ -2010,13 +2011,20 @@ gadgetfs_fill_super (struct super_block
> >  {
> >         struct inode    *inode;
> >         struct dev_data *dev;
> > +       int             rc;
> >
> > -       if (the_device)
> > -               return -ESRCH;
> > +       mutex_lock(&sb_mutex);
> > +
> > +       if (the_device) {
> > +               rc = -ESRCH;
> > +               goto Done;
> > +       }
> >
> >         CHIP = usb_get_gadget_udc_name();
> > -       if (!CHIP)
> > -               return -ENODEV;
> > +       if (!CHIP) {
> > +               rc = -ENODEV;
> > +               goto Done;
> > +       }
> >
> >         /* superblock */
> >         sb->s_blocksize = PAGE_SIZE;
> > @@ -2053,13 +2061,17 @@ gadgetfs_fill_super (struct super_block
> >          * from binding to a controller.
> >          */
> >         the_device = dev;
> > -       return 0;
> > +       rc = 0;
> > +       goto Done;
> >
> > -Enomem:
> > + Enomem:
> >         kfree(CHIP);
> >         CHIP = NULL;
> > +       rc = -ENOMEM;
> >
> > -       return -ENOMEM;
> > + Done:
> > +       mutex_unlock(&sb_mutex);
> > +       return rc;
> >  }
> >
> >  /* "mount -t gadgetfs path /dev/gadget" ends up here */
> > @@ -2081,6 +2093,7 @@ static int gadgetfs_init_fs_context(stru
> >  static void
> >  gadgetfs_kill_sb (struct super_block *sb)
> >  {
> > +       mutex_lock(&sb_mutex);
> >         kill_litter_super (sb);
> >         if (the_device) {
> >                 put_dev (the_device);
> > @@ -2088,6 +2101,7 @@ gadgetfs_kill_sb (struct super_block *sb
> >         }
> >         kfree(CHIP);
> >         CHIP = NULL;
> > +       mutex_unlock(&sb_mutex);
> >  }
> >
> >  /*----------------------------------------------------------------------*/

AFAICS, this patch has not yet been applied in mainline, is this
correct?

Regards,
Salvatore

  reply	other threads:[~2023-01-15 16:31 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-12  8:07 usb: A use-after-free Write in put_dev Gerald Lee
2022-12-12 16:24 ` Alan Stern
2022-12-13  1:02   ` Gerald Lee
2023-01-15 16:30     ` Salvatore Bonaccorso [this message]
2023-01-15 16:57       ` Alan Stern

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y8QqQiJfLH8gwsOH@eldamar.lan \
    --to=carnil@debian.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=sundaywind2004@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).