Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/2] can: fix use-after-free on USB disconnect
@ 2019-10-01 10:29 Johan Hovold
  2019-10-01 10:29 ` [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect Johan Hovold
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Johan Hovold @ 2019-10-01 10:29 UTC (permalink / raw)
  To: Wolfgang Grandegger, Marc Kleine-Budde
  Cc: David S. Miller, linux-can, netdev, linux-kernel, linux-usb,
	Johan Hovold

Syzbot reported a use-after-free on disconnect in mcba_usb and a quick
grep revealed a similar issue in usb_8dev.

Compile-tested only.

Johan


Johan Hovold (2):
  can: mcba_usb: fix use-after-free on disconnect
  can: usb_8dev: fix use-after-free on disconnect

 drivers/net/can/usb/mcba_usb.c | 3 +--
 drivers/net/can/usb/usb_8dev.c | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

-- 
2.23.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect
  2019-10-01 10:29 [PATCH 0/2] can: fix use-after-free on USB disconnect Johan Hovold
@ 2019-10-01 10:29 ` Johan Hovold
  2019-10-01 10:29 ` [PATCH 2/2] can: usb_8dev: " Johan Hovold
  2019-10-04 20:45 ` [PATCH 0/2] can: fix use-after-free on USB disconnect Marc Kleine-Budde
  2 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2019-10-01 10:29 UTC (permalink / raw)
  To: Wolfgang Grandegger, Marc Kleine-Budde
  Cc: David S. Miller, linux-can, netdev, linux-kernel, linux-usb,
	Johan Hovold, stable, Remigiusz Kołłątaj,
	syzbot+e29b17e5042bbc56fae9

The driver was accessing its driver data after having freed it.

Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
Cc: stable <stable@vger.kernel.org>     # 4.12
Cc: Remigiusz Kołłątaj <remigiusz.kollataj@mobica.com>
Reported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/net/can/usb/mcba_usb.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
index 19a702ac49e4..21faa2ec4632 100644
--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -876,9 +876,8 @@ static void mcba_usb_disconnect(struct usb_interface *intf)
 	netdev_info(priv->netdev, "device disconnected\n");
 
 	unregister_candev(priv->netdev);
-	free_candev(priv->netdev);
-
 	mcba_urb_unlink(priv);
+	free_candev(priv->netdev);
 }
 
 static struct usb_driver mcba_usb_driver = {
-- 
2.23.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 2/2] can: usb_8dev: fix use-after-free on disconnect
  2019-10-01 10:29 [PATCH 0/2] can: fix use-after-free on USB disconnect Johan Hovold
  2019-10-01 10:29 ` [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect Johan Hovold
@ 2019-10-01 10:29 ` " Johan Hovold
  2019-10-04 20:45 ` [PATCH 0/2] can: fix use-after-free on USB disconnect Marc Kleine-Budde
  2 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2019-10-01 10:29 UTC (permalink / raw)
  To: Wolfgang Grandegger, Marc Kleine-Budde
  Cc: David S. Miller, linux-can, netdev, linux-kernel, linux-usb,
	Johan Hovold, stable, Bernd Krumboeck

The driver was accessing its driver data after having freed it.

Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
Cc: stable <stable@vger.kernel.org>     # 3.9
Cc: Bernd Krumboeck <b.krumboeck@gmail.com>
Cc: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/net/can/usb/usb_8dev.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c
index d596a2ad7f78..8fa224b28218 100644
--- a/drivers/net/can/usb/usb_8dev.c
+++ b/drivers/net/can/usb/usb_8dev.c
@@ -996,9 +996,8 @@ static void usb_8dev_disconnect(struct usb_interface *intf)
 		netdev_info(priv->netdev, "device disconnected\n");
 
 		unregister_netdev(priv->netdev);
-		free_candev(priv->netdev);
-
 		unlink_all_urbs(priv);
+		free_candev(priv->netdev);
 	}
 
 }
-- 
2.23.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/2] can: fix use-after-free on USB disconnect
  2019-10-01 10:29 [PATCH 0/2] can: fix use-after-free on USB disconnect Johan Hovold
  2019-10-01 10:29 ` [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect Johan Hovold
  2019-10-01 10:29 ` [PATCH 2/2] can: usb_8dev: " Johan Hovold
@ 2019-10-04 20:45 ` Marc Kleine-Budde
  2 siblings, 0 replies; 4+ messages in thread
From: Marc Kleine-Budde @ 2019-10-04 20:45 UTC (permalink / raw)
  To: Johan Hovold, Wolfgang Grandegger
  Cc: David S. Miller, linux-can, netdev, linux-kernel, linux-usb

[-- Attachment #1.1: Type: text/plain, Size: 500 bytes --]

On 10/1/19 12:29 PM, Johan Hovold wrote:
> Syzbot reported a use-after-free on disconnect in mcba_usb and a quick
> grep revealed a similar issue in usb_8dev.
> 
> Compile-tested only.

Applied to can.

tnx,
Marc

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-01 10:29 [PATCH 0/2] can: fix use-after-free on USB disconnect Johan Hovold
2019-10-01 10:29 ` [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect Johan Hovold
2019-10-01 10:29 ` [PATCH 2/2] can: usb_8dev: " Johan Hovold
2019-10-04 20:45 ` [PATCH 0/2] can: fix use-after-free on USB disconnect Marc Kleine-Budde

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org
	public-inbox-index linux-usb

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git