Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
* USB: gadget: f_midi: fixing a possible double-free in f_midi
@ 2019-08-20 17:45 Mark Salyzyn
  2019-08-20 20:15 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 3+ messages in thread
From: Mark Salyzyn @ 2019-08-20 17:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: kernel-team, Yavuz, Tuba, Felipe Balbi, stable, Felipe Balbi,
	Greg Kroah-Hartman, linux-usb

From: "Yavuz, Tuba" <tuba@ece.ufl.edu>

cherry pick from commit 7fafcfdf6377b18b2a726ea554d6e593ba44349f
("USB: gadget: f_midi: fixing a possible double-free in f_midi")
Removing 'return err;' from conflict.

It looks like there is a possibility of a double-free vulnerability on an
error path of the f_midi_set_alt function in the f_midi driver. If the
path is feasible then free_ep_req gets called twice:

         req->complete = f_midi_complete;
         err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
            => ...
             usb_gadget_giveback_request
               =>
                 f_midi_complete (CALLBACK)
                   (inside f_midi_complete, for various cases of status)
                   free_ep_req(ep, req); // first kfree
         if (err) {
                 ERROR(midi, "%s: couldn't enqueue request: %d\n",
                             midi->out_ep->name, err);
                 free_ep_req(midi->out_ep, req); // second kfree
                 return err;
         }

The double-free possibility was introduced with commit ad0d1a058eac
("usb: gadget: f_midi: fix leak on failed to enqueue out requests").

Found by MOXCAFE tool.

Signed-off-by: Tuba Yavuz <tuba@ece.ufl.edu>
Fixes: ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests")
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: stable <stable@vger.kernel.org> # 4.4.y
---
 drivers/usb/gadget/function/f_midi.c | 3 ++-
 drivers/usb/gadget/u_f.h             | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
index 5ead414586a1..e5c4a907e5d4 100644
--- a/drivers/usb/gadget/function/f_midi.c
+++ b/drivers/usb/gadget/function/f_midi.c
@@ -366,7 +366,8 @@ static int f_midi_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
 		if (err) {
 			ERROR(midi, "%s queue req: %d\n",
 				    midi->out_ep->name, err);
-			free_ep_req(midi->out_ep, req);
+			if (req->buf != NULL)
+				free_ep_req(midi->out_ep, req);
 		}
 	}
 
diff --git a/drivers/usb/gadget/u_f.h b/drivers/usb/gadget/u_f.h
index 69a1d10df04f..3ee365fbc2e2 100644
--- a/drivers/usb/gadget/u_f.h
+++ b/drivers/usb/gadget/u_f.h
@@ -65,7 +65,9 @@ struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len)
 /* Frees a usb_request previously allocated by alloc_ep_req() */
 static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
 {
+	WARN_ON(req->buf == NULL);
 	kfree(req->buf);
+	req->buf = NULL;
 	usb_ep_free_request(ep, req);
 }
 
-- 
2.23.0.rc1.153.gdeed80330f-goog


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: USB: gadget: f_midi: fixing a possible double-free in f_midi
  2019-08-20 17:45 USB: gadget: f_midi: fixing a possible double-free in f_midi Mark Salyzyn
@ 2019-08-20 20:15 ` Greg Kroah-Hartman
  2019-08-20 21:13   ` Mark Salyzyn
  0 siblings, 1 reply; 3+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-20 20:15 UTC (permalink / raw)
  To: Mark Salyzyn
  Cc: linux-kernel, kernel-team, Yavuz, Tuba, Felipe Balbi, stable,
	Felipe Balbi, linux-usb

On Tue, Aug 20, 2019 at 10:45:13AM -0700, Mark Salyzyn wrote:
> From: "Yavuz, Tuba" <tuba@ece.ufl.edu>
> 
> cherry pick from commit 7fafcfdf6377b18b2a726ea554d6e593ba44349f
> ("USB: gadget: f_midi: fixing a possible double-free in f_midi")
> Removing 'return err;' from conflict.
> 
> It looks like there is a possibility of a double-free vulnerability on an
> error path of the f_midi_set_alt function in the f_midi driver. If the
> path is feasible then free_ep_req gets called twice:
> 
>          req->complete = f_midi_complete;
>          err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
>             => ...
>              usb_gadget_giveback_request
>                =>
>                  f_midi_complete (CALLBACK)
>                    (inside f_midi_complete, for various cases of status)
>                    free_ep_req(ep, req); // first kfree
>          if (err) {
>                  ERROR(midi, "%s: couldn't enqueue request: %d\n",
>                              midi->out_ep->name, err);
>                  free_ep_req(midi->out_ep, req); // second kfree
>                  return err;
>          }
> 
> The double-free possibility was introduced with commit ad0d1a058eac
> ("usb: gadget: f_midi: fix leak on failed to enqueue out requests").
> 
> Found by MOXCAFE tool.
> 
> Signed-off-by: Tuba Yavuz <tuba@ece.ufl.edu>
> Fixes: ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests")
> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
> Cc: stable <stable@vger.kernel.org> # 4.4.y

No signed-off-by from you?

Anyway, this is already in the 4.4.y queue and will be in the next
release.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: USB: gadget: f_midi: fixing a possible double-free in f_midi
  2019-08-20 20:15 ` Greg Kroah-Hartman
@ 2019-08-20 21:13   ` Mark Salyzyn
  0 siblings, 0 replies; 3+ messages in thread
From: Mark Salyzyn @ 2019-08-20 21:13 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, kernel-team, Yavuz, Tuba, Felipe Balbi, stable,
	Felipe Balbi, linux-usb

On 8/20/19 1:15 PM, Greg Kroah-Hartman wrote:
> No signed-off-by from you?
>
> Anyway, this is already in the 4.4.y queue and will be in the next
> release.
>
> thanks,
>
> greg k-h

Ok, thanks! I will stand down.

-- Mark


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-20 17:45 USB: gadget: f_midi: fixing a possible double-free in f_midi Mark Salyzyn
2019-08-20 20:15 ` Greg Kroah-Hartman
2019-08-20 21:13   ` Mark Salyzyn

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org linux-usb@archiver.kernel.org
	public-inbox-index linux-usb


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/ public-inbox