linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Oliver Neukum <oneukum@suse.com>
To: "Zhang, Qiang" <Qiang.Zhang@windriver.com>,
	syzbot <syzbot+9e04e2df4a32fb661daf@syzkaller.appspotmail.com>,
	"andreyknvl@google.com" <andreyknvl@google.com>,
	"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
	"gustavoars@kernel.org" <gustavoars@kernel.org>,
	"ingrassia@epigenesys.com" <ingrassia@epigenesys.com>,
	"lee.jones@linaro.org" <lee.jones@linaro.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
	"penguin-kernel@I-love.SAKURA.ne.jp" 
	<penguin-kernel@i-love.sakura.ne.jp>,
	"syzkaller-bugs@googlegroups.com"
	<syzkaller-bugs@googlegroups.com>
Subject: Re: 回复: KASAN: use-after-free Read in service_outstanding_interrupt
Date: Tue, 05 Jan 2021 11:51:31 +0100	[thread overview]
Message-ID: <d09747d30bdb0a79daf9fa4bd381cc8deeb81d50.camel@suse.com> (raw)
In-Reply-To: <BYAPR11MB2632EDC88523D674D9C63E73FFD10@BYAPR11MB2632.namprd11.prod.outlook.com>

Am Dienstag, den 05.01.2021, 04:50 +0000 schrieb Zhang, Qiang:
> 
> ________________________________________
> 发件人: Oliver Neukum <oneukum@suse.com>
> 发送时间: 2021年1月5日 0:28
> 收件人: syzbot; andreyknvl@google.com; gregkh@linuxfoundation.org; gustavoars@kernel.org; ingrassia@epigenesys.com; lee.jones@linaro.org; linux-kernel@vger.kernel.org; linux-usb@vger.kernel.org; penguin-kernel@I-love.SAKURA.ne.jp; syzkaller-bugs@googlegroups.com
> 主题: Re: KASAN: use-after-free Read in service_outstanding_interrupt
> 
> Am Donnerstag, den 17.12.2020, 19:21 -0800 schrieb syzbot:
> > syzbot has found a reproducer for the following issue on:
> > 
> > HEAD commit:    5e60366d Merge tag 'fallthrough-fixes-clang-5.11-rc1' of g..
> > git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12c5b623500000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=5cea7506b7139727
> > dashboard link: https://syzkaller.appspot.com/bug?extid=9e04e2df4a32fb661daf
> > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=175adf07500000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1672680f500000
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: >syzbot+9e04e2df4a32fb661daf@syzkaller.appspotmail.com
> > 
> > #syz test: https://github.com/google/kasan.git  5e60366d
> > 
> 
>  Hello Oliver 
>  
>  this use-after-free still exists,It can be seen from calltrace that it is 
>  usb_device's object  has been released when disconnect,
>  can add a reference count to usb_device's object to avoid this problem 

Hi,

thanks for your analysis. I think you are correct in your analysis, but
I am afraid your fix is not correct. The driver is submitting an URB
to a disconnected device. Your fix would prevent a crash, which is
definitely good, but we still cannot do that, because the device may
be owned by another driver or usbfs at that time.

	Regards
		Oliver



  reply	other threads:[~2021-01-05 10:52 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-07 12:19 KASAN: use-after-free Read in service_outstanding_interrupt syzbot
2020-12-18  3:21 ` syzbot
2020-12-18 14:03   ` Tetsuo Handa
2020-12-19 15:25     ` [PATCH] USB: cdc-wdm: Fix use after free in service_outstanding_interrupt() Tetsuo Handa
2020-12-28 14:44       ` Oliver Neukum
2021-01-04 16:28   ` KASAN: use-after-free Read in service_outstanding_interrupt Oliver Neukum
2021-01-04 16:44     ` syzbot
2021-01-05  4:50     ` 回复: " Zhang, Qiang
2021-01-05 10:51       ` Oliver Neukum [this message]
     [not found] ` <20201218082113.1238-1-hdanton@sina.com>
2020-12-18  8:28   ` Greg KH
     [not found]   ` <20201218100134.1351-1-hdanton@sina.com>
2020-12-18 10:32     ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d09747d30bdb0a79daf9fa4bd381cc8deeb81d50.camel@suse.com \
    --to=oneukum@suse.com \
    --cc=Qiang.Zhang@windriver.com \
    --cc=andreyknvl@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=gustavoars@kernel.org \
    --cc=ingrassia@epigenesys.com \
    --cc=lee.jones@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=syzbot+9e04e2df4a32fb661daf@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).