* usb/media/au0828: use-after-free in au0828_rc_unregister
@ 2017-10-23 14:41 Andrey Konovalov
2017-11-10 0:21 ` [PATCH] au0828: fix use-after-free at USB probing Gustavo A. R. Silva
0 siblings, 1 reply; 7+ messages in thread
From: Andrey Konovalov @ 2017-10-23 14:41 UTC (permalink / raw)
To: Mauro Carvalho Chehab, Sean Young, Andi Shyti, Hans Verkuil,
linux-media, LKML
Cc: Dmitry Vyukov, Kostya Serebryany, syzkaller
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
usb 1-1: selecting invalid altsetting 5
au0828: Failure setting usb interface0 to as5
au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
==================================================================
BUG: KASAN: use-after-free in au0828_rc_unregister+0xaa/0xc0
Read of size 8 at addr ffff8800626e2b90 by task kworker/1:1/1491
CPU: 1 PID: 1491 Comm: kworker/1:1 Not tainted
4.14.0-rc5-43687-g06ab8a23e0e6 #545
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x23d/0x350 mm/kasan/report.c:409
__asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
au0828_rc_unregister+0xaa/0xc0 drivers/media/usb/au0828/au0828-input.c:367
au0828_usb_disconnect+0x63/0x130 drivers/media/usb/au0828/au0828-core.c:189
au0828_usb_probe+0xb3e/0xf20 drivers/media/usb/au0828/au0828-core.c:660
usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26b/0x3c0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26b/0x3c0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x363/0x440 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
The buggy address belongs to the page:
page:ffffea000189b880 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 dead000000000200 ffff88006c00d980 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8800626e2a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8800626e2b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8800626e2b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8800626e2c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8800626e2c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] au0828: fix use-after-free at USB probing
2017-10-23 14:41 usb/media/au0828: use-after-free in au0828_rc_unregister Andrey Konovalov
@ 2017-11-10 0:21 ` Gustavo A. R. Silva
2017-11-10 12:29 ` Andrey Konovalov
0 siblings, 1 reply; 7+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-10 0:21 UTC (permalink / raw)
To: Andrey Konovalov, Mauro Carvalho Chehab, Hans Verkuil,
Sean Young, linux-media, Andi Shyti, LKML
Cc: Dmitry Vyukov, Kostya Serebryany, syzkaller, Gustavo A. R. Silva
Hi Andrey,
Could you please try this patch?
Thank you
The device is typically freed on failure after trying to set
USB interface0 to as5 in function au0828_analog_register.
Fix use-after-free by returning the error value inmediately
after failure, instead of jumping to au0828_usb_disconnect
where _dev_ is also freed.
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
drivers/media/usb/au0828/au0828-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/media/usb/au0828/au0828-core.c b/drivers/media/usb/au0828/au0828-core.c
index cd363a2..b4abd90 100644
--- a/drivers/media/usb/au0828/au0828-core.c
+++ b/drivers/media/usb/au0828/au0828-core.c
@@ -630,7 +630,7 @@ static int au0828_usb_probe(struct usb_interface *interface,
__func__);
mutex_unlock(&dev->lock);
kfree(dev);
- goto done;
+ return retval;
}
/* Digital TV */
@@ -655,7 +655,6 @@ static int au0828_usb_probe(struct usb_interface *interface,
retval = au0828_media_device_register(dev, usbdev);
-done:
if (retval < 0)
au0828_usb_disconnect(interface);
--
2.7.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] au0828: fix use-after-free at USB probing
2017-11-10 0:21 ` [PATCH] au0828: fix use-after-free at USB probing Gustavo A. R. Silva
@ 2017-11-10 12:29 ` Andrey Konovalov
2017-11-10 17:35 ` Gustavo A. R. Silva
0 siblings, 1 reply; 7+ messages in thread
From: Andrey Konovalov @ 2017-11-10 12:29 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Mauro Carvalho Chehab, Hans Verkuil, Sean Young, linux-media,
Andi Shyti, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva
<garsilva@embeddedor.com> wrote:
> Hi Andrey,
>
> Could you please try this patch?
>
> Thank you
Hi Gustavo,
With your patch I get a different crash. Not sure if it's another bug
or the same one manifesting differently.
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
usb 1-1: selecting invalid altsetting 5
au0828: Failure setting usb interface0 to as5
au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
au0828: probe of 1-1:0.0 failed with error -22
usb 1-1: USB disconnect, device number 2
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0xda/0xf3
Read of size 8 at addr ffff8800641d0410 by task kworker/0:1/24
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
4.14.0-rc5-43687-g72e555fa3d2e-dirty #105
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0xc1/0x11f lib/dump_stack.c:52
print_address_description+0x71/0x234 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x173/0x270 mm/kasan/report.c:409
__asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
__list_del_entry_valid+0xda/0xf3 lib/list_debug.c:54
__list_del_entry ./include/linux/list.h:116
list_del_init ./include/linux/list.h:158
device_pm_remove+0x4a/0x1da drivers/base/power/main.c:149
device_del+0x55f/0xa30 drivers/base/core.c:1986
usb_disable_device+0x1df/0x670 drivers/usb/core/message.c:1170
usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
hub_port_connect drivers/usb/core/hub.c:4754
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0xe09/0x2eb0 drivers/usb/core/hub.c:5195
process_one_work+0x86d/0x13e0 kernel/workqueue.c:2119
process_scheduled_works kernel/workqueue.c:2179
worker_thread+0x689/0xea0 kernel/workqueue.c:2255
kthread+0x334/0x400 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
The buggy address belongs to the page:
page:ffffea0001907400 count:0 mapcount:-127 mapping: (null) index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
raw: ffffea00018a8f20 ffff88007fffa690 0000000000000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8800641d0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8800641d0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8800641d0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8800641d0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8800641d0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Thanks!
>
>
> The device is typically freed on failure after trying to set
> USB interface0 to as5 in function au0828_analog_register.
>
> Fix use-after-free by returning the error value inmediately
> after failure, instead of jumping to au0828_usb_disconnect
> where _dev_ is also freed.
>
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
> ---
> drivers/media/usb/au0828/au0828-core.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/media/usb/au0828/au0828-core.c b/drivers/media/usb/au0828/au0828-core.c
> index cd363a2..b4abd90 100644
> --- a/drivers/media/usb/au0828/au0828-core.c
> +++ b/drivers/media/usb/au0828/au0828-core.c
> @@ -630,7 +630,7 @@ static int au0828_usb_probe(struct usb_interface *interface,
> __func__);
> mutex_unlock(&dev->lock);
> kfree(dev);
> - goto done;
> + return retval;
> }
>
> /* Digital TV */
> @@ -655,7 +655,6 @@ static int au0828_usb_probe(struct usb_interface *interface,
>
> retval = au0828_media_device_register(dev, usbdev);
>
> -done:
> if (retval < 0)
> au0828_usb_disconnect(interface);
>
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] au0828: fix use-after-free at USB probing
2017-11-10 12:29 ` Andrey Konovalov
@ 2017-11-10 17:35 ` Gustavo A. R. Silva
2017-11-20 18:47 ` Andrey Konovalov
0 siblings, 1 reply; 7+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-10 17:35 UTC (permalink / raw)
To: Andrey Konovalov
Cc: Mauro Carvalho Chehab, Hans Verkuil, Sean Young, linux-media,
Andi Shyti, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
Quoting Andrey Konovalov <andreyknvl@google.com>:
> On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva
> <garsilva@embeddedor.com> wrote:
>> Hi Andrey,
>>
>> Could you please try this patch?
>>
>> Thank you
>
> Hi Gustavo,
>
> With your patch I get a different crash. Not sure if it's another bug
> or the same one manifesting differently.
>
That's the same one. It seems that the best solution is to remove the
kfree after the mutex_unlock and let the device resources be freed in
au0828_usb_disconnect.
Please try the following patch instead.
I appreciate your help.
Thank you, Andrey.
---
drivers/media/usb/au0828/au0828-core.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/media/usb/au0828/au0828-core.c
b/drivers/media/usb/au0828/au0828-core.c
index cd363a2..257ae0d 100644
--- a/drivers/media/usb/au0828/au0828-core.c
+++ b/drivers/media/usb/au0828/au0828-core.c
@@ -629,7 +629,6 @@ static int au0828_usb_probe(struct usb_interface
*interface,
pr_err("%s() au0282_dev_register failed to register
on V4L2\n",
__func__);
mutex_unlock(&dev->lock);
- kfree(dev);
goto done;
}
--
2.7.4
> au0828: recv_control_msg() Failed receiving control message, error -71.
> au0828: recv_control_msg() Failed receiving control message, error -71.
> au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
> usb 1-1: selecting invalid altsetting 5
> au0828: Failure setting usb interface0 to as5
> au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
> au0828: probe of 1-1:0.0 failed with error -22
> usb 1-1: USB disconnect, device number 2
> ==================================================================
> BUG: KASAN: use-after-free in __list_del_entry_valid+0xda/0xf3
> Read of size 8 at addr ffff8800641d0410 by task kworker/0:1/24
>
> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
> 4.14.0-rc5-43687-g72e555fa3d2e-dirty #105
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> __dump_stack lib/dump_stack.c:16
> dump_stack+0xc1/0x11f lib/dump_stack.c:52
> print_address_description+0x71/0x234 mm/kasan/report.c:252
> kasan_report_error mm/kasan/report.c:351
> kasan_report+0x173/0x270 mm/kasan/report.c:409
> __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
> __list_del_entry_valid+0xda/0xf3 lib/list_debug.c:54
> __list_del_entry ./include/linux/list.h:116
> list_del_init ./include/linux/list.h:158
> device_pm_remove+0x4a/0x1da drivers/base/power/main.c:149
> device_del+0x55f/0xa30 drivers/base/core.c:1986
> usb_disable_device+0x1df/0x670 drivers/usb/core/message.c:1170
> usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
> hub_port_connect drivers/usb/core/hub.c:4754
> hub_port_connect_change drivers/usb/core/hub.c:5009
> port_event drivers/usb/core/hub.c:5115
> hub_event+0xe09/0x2eb0 drivers/usb/core/hub.c:5195
> process_one_work+0x86d/0x13e0 kernel/workqueue.c:2119
> process_scheduled_works kernel/workqueue.c:2179
> worker_thread+0x689/0xea0 kernel/workqueue.c:2255
> kthread+0x334/0x400 kernel/kthread.c:231
> ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>
> The buggy address belongs to the page:
> page:ffffea0001907400 count:0 mapcount:-127 mapping: (null)
> index:0x0
> flags: 0x100000000000000()
> raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
> raw: ffffea00018a8f20 ffff88007fffa690 0000000000000002 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff8800641d0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8800641d0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ffff8800641d0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ^
> ffff8800641d0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8800641d0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ==================================================================
>
> Thanks!
>
>>
>>
>> The device is typically freed on failure after trying to set
>> USB interface0 to as5 in function au0828_analog_register.
>>
>> Fix use-after-free by returning the error value inmediately
>> after failure, instead of jumping to au0828_usb_disconnect
>> where _dev_ is also freed.
>>
>> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
>> ---
>> drivers/media/usb/au0828/au0828-core.c | 3 +--
>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/drivers/media/usb/au0828/au0828-core.c
>> b/drivers/media/usb/au0828/au0828-core.c
>> index cd363a2..b4abd90 100644
>> --- a/drivers/media/usb/au0828/au0828-core.c
>> +++ b/drivers/media/usb/au0828/au0828-core.c
>> @@ -630,7 +630,7 @@ static int au0828_usb_probe(struct
>> usb_interface *interface,
>> __func__);
>> mutex_unlock(&dev->lock);
>> kfree(dev);
>> - goto done;
>> + return retval;
>> }
>>
>> /* Digital TV */
>> @@ -655,7 +655,6 @@ static int au0828_usb_probe(struct
>> usb_interface *interface,
>>
>> retval = au0828_media_device_register(dev, usbdev);
>>
>> -done:
>> if (retval < 0)
>> au0828_usb_disconnect(interface);
>>
>> --
>> 2.7.4
>>
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] au0828: fix use-after-free at USB probing
2017-11-10 17:35 ` Gustavo A. R. Silva
@ 2017-11-20 18:47 ` Andrey Konovalov
2017-11-23 1:31 ` Gustavo A. R. Silva
0 siblings, 1 reply; 7+ messages in thread
From: Andrey Konovalov @ 2017-11-20 18:47 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Mauro Carvalho Chehab, Hans Verkuil, Sean Young, linux-media,
Andi Shyti, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
On Fri, Nov 10, 2017 at 6:35 PM, Gustavo A. R. Silva
<garsilva@embeddedor.com> wrote:
>
> Quoting Andrey Konovalov <andreyknvl@google.com>:
>
>> On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva
>> <garsilva@embeddedor.com> wrote:
>>>
>>> Hi Andrey,
>>>
>>> Could you please try this patch?
>>>
>>> Thank you
Hi!
Sorry for the delay.
With this patch I still see the same report:
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
usb 1-1: selecting invalid altsetting 5
au0828: Failure setting usb interface0 to as5
au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
au0828: probe of 1-1:0.0 failed with error -22
usb 1-1: USB disconnect, device number 3
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0xda/0xf3
Read of size 8 at addr ffff880062a74410 by task kworker/0:1/24
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
4.14.0-rc8-44455-ge2105594a876-dirty #111
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:17
dump_stack+0xe1/0x157 lib/dump_stack.c:53
print_address_description+0x71/0x234 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x173/0x270 mm/kasan/report.c:409
__asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
__list_del_entry_valid+0xda/0xf3 lib/list_debug.c:54
__list_del_entry ./include/linux/list.h:117
list_del_init ./include/linux/list.h:159
device_pm_remove+0x4a/0x1e7 drivers/base/power/main.c:149
device_del+0x599/0xa70 drivers/base/core.c:1986
usb_disable_device+0x223/0x710 drivers/usb/core/message.c:1170
usb_disconnect+0x285/0x7f0 drivers/usb/core/hub.c:2205
hub_port_connect drivers/usb/core/hub.c:4838
hub_port_connect_change drivers/usb/core/hub.c:5093
port_event drivers/usb/core/hub.c:5199
hub_event_impl+0x10ec/0x3440 drivers/usb/core/hub.c:5311
hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
process_scheduled_works kernel/workqueue.c:2173
worker_thread+0x72e/0x10d0 kernel/workqueue.c:2249
kthread+0x346/0x410 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432
The buggy address belongs to the page:
page:ffffea00018a9d00 count:0 mapcount:-127 mapping: (null) index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
raw: ffff88007fffa690 ffffea00018e6120 0000000000000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff880062a74300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff880062a74380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff880062a74400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff880062a74480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff880062a74500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
=================================================================
Thanks!
>>
>>
>> Hi Gustavo,
>>
>> With your patch I get a different crash. Not sure if it's another bug
>> or the same one manifesting differently.
>>
>
> That's the same one. It seems that the best solution is to remove the kfree
> after the mutex_unlock and let the device resources be freed in
> au0828_usb_disconnect.
>
> Please try the following patch instead.
>
> I appreciate your help.
>
> Thank you, Andrey.
>
> ---
> drivers/media/usb/au0828/au0828-core.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/media/usb/au0828/au0828-core.c
> b/drivers/media/usb/au0828/au0828-core.c
> index cd363a2..257ae0d 100644
> --- a/drivers/media/usb/au0828/au0828-core.c
> +++ b/drivers/media/usb/au0828/au0828-core.c
> @@ -629,7 +629,6 @@ static int au0828_usb_probe(struct usb_interface
> *interface,
> pr_err("%s() au0282_dev_register failed to register on
> V4L2\n",
> __func__);
> mutex_unlock(&dev->lock);
> - kfree(dev);
> goto done;
> }
>
> --
> 2.7.4
>
>
>> au0828: recv_control_msg() Failed receiving control message, error -71.
>> au0828: recv_control_msg() Failed receiving control message, error -71.
>> au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
>> usb 1-1: selecting invalid altsetting 5
>> au0828: Failure setting usb interface0 to as5
>> au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
>> au0828: probe of 1-1:0.0 failed with error -22
>> usb 1-1: USB disconnect, device number 2
>> ==================================================================
>> BUG: KASAN: use-after-free in __list_del_entry_valid+0xda/0xf3
>> Read of size 8 at addr ffff8800641d0410 by task kworker/0:1/24
>>
>> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
>> 4.14.0-rc5-43687-g72e555fa3d2e-dirty #105
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
>> 01/01/2011
>> Workqueue: usb_hub_wq hub_event
>> Call Trace:
>> __dump_stack lib/dump_stack.c:16
>> dump_stack+0xc1/0x11f lib/dump_stack.c:52
>> print_address_description+0x71/0x234 mm/kasan/report.c:252
>> kasan_report_error mm/kasan/report.c:351
>> kasan_report+0x173/0x270 mm/kasan/report.c:409
>> __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
>> __list_del_entry_valid+0xda/0xf3 lib/list_debug.c:54
>> __list_del_entry ./include/linux/list.h:116
>> list_del_init ./include/linux/list.h:158
>> device_pm_remove+0x4a/0x1da drivers/base/power/main.c:149
>> device_del+0x55f/0xa30 drivers/base/core.c:1986
>> usb_disable_device+0x1df/0x670 drivers/usb/core/message.c:1170
>> usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
>> hub_port_connect drivers/usb/core/hub.c:4754
>> hub_port_connect_change drivers/usb/core/hub.c:5009
>> port_event drivers/usb/core/hub.c:5115
>> hub_event+0xe09/0x2eb0 drivers/usb/core/hub.c:5195
>> process_one_work+0x86d/0x13e0 kernel/workqueue.c:2119
>> process_scheduled_works kernel/workqueue.c:2179
>> worker_thread+0x689/0xea0 kernel/workqueue.c:2255
>> kthread+0x334/0x400 kernel/kthread.c:231
>> ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>>
>> The buggy address belongs to the page:
>> page:ffffea0001907400 count:0 mapcount:-127 mapping: (null)
>> index:0x0
>> flags: 0x100000000000000()
>> raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
>> raw: ffffea00018a8f20 ffff88007fffa690 0000000000000002 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>> ffff8800641d0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ffff8800641d0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>>
>>> ffff8800641d0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>
>> ^
>> ffff8800641d0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ffff8800641d0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ==================================================================
>>
>> Thanks!
>>
>>>
>>>
>>> The device is typically freed on failure after trying to set
>>> USB interface0 to as5 in function au0828_analog_register.
>>>
>>> Fix use-after-free by returning the error value inmediately
>>> after failure, instead of jumping to au0828_usb_disconnect
>>> where _dev_ is also freed.
>>>
>>> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
>>> ---
>>> drivers/media/usb/au0828/au0828-core.c | 3 +--
>>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/media/usb/au0828/au0828-core.c
>>> b/drivers/media/usb/au0828/au0828-core.c
>>> index cd363a2..b4abd90 100644
>>> --- a/drivers/media/usb/au0828/au0828-core.c
>>> +++ b/drivers/media/usb/au0828/au0828-core.c
>>> @@ -630,7 +630,7 @@ static int au0828_usb_probe(struct usb_interface
>>> *interface,
>>> __func__);
>>> mutex_unlock(&dev->lock);
>>> kfree(dev);
>>> - goto done;
>>> + return retval;
>>> }
>>>
>>> /* Digital TV */
>>> @@ -655,7 +655,6 @@ static int au0828_usb_probe(struct usb_interface
>>> *interface,
>>>
>>> retval = au0828_media_device_register(dev, usbdev);
>>>
>>> -done:
>>> if (retval < 0)
>>> au0828_usb_disconnect(interface);
>>>
>>> --
>>> 2.7.4
>>>
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] au0828: fix use-after-free at USB probing
2017-11-20 18:47 ` Andrey Konovalov
@ 2017-11-23 1:31 ` Gustavo A. R. Silva
[not found] ` <CAAeHK+ws05W5FRuncD42MKEB5tX254baDh1cS7uT4pwq0ddfmQ@mail.gmail.com>
0 siblings, 1 reply; 7+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-23 1:31 UTC (permalink / raw)
To: Andrey Konovalov
Cc: Mauro Carvalho Chehab, Hans Verkuil, Sean Young, linux-media,
Andi Shyti, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
Hi Andrey,
I have successfully installed and tested syzkaller with QEMU. Can you
please tell me how to reproduce this bug or share with me the full
crash report?
Also, can you point me out to the PoC file?
Much appreciated
Thank you!
--
Gustavo A. R. Silva
Quoting Andrey Konovalov <andreyknvl@google.com>:
> On Fri, Nov 10, 2017 at 6:35 PM, Gustavo A. R. Silva
> <garsilva@embeddedor.com> wrote:
>>
>> Quoting Andrey Konovalov <andreyknvl@google.com>:
>>
>>> On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva
>>> <garsilva@embeddedor.com> wrote:
>>>>
>>>> Hi Andrey,
>>>>
>>>> Could you please try this patch?
>>>>
>>>> Thank you
>
> Hi!
>
> Sorry for the delay.
>
> With this patch I still see the same report:
>
> au0828: recv_control_msg() Failed receiving control message, error -71.
> au0828: recv_control_msg() Failed receiving control message, error -71.
> au0828: recv_control_msg() Failed receiving control message, error -71.
> au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
> usb 1-1: selecting invalid altsetting 5
> au0828: Failure setting usb interface0 to as5
> au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
> au0828: probe of 1-1:0.0 failed with error -22
> usb 1-1: USB disconnect, device number 3
> ==================================================================
> BUG: KASAN: use-after-free in __list_del_entry_valid+0xda/0xf3
> Read of size 8 at addr ffff880062a74410 by task kworker/0:1/24
>
> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
> 4.14.0-rc8-44455-ge2105594a876-dirty #111
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> __dump_stack lib/dump_stack.c:17
> dump_stack+0xe1/0x157 lib/dump_stack.c:53
> print_address_description+0x71/0x234 mm/kasan/report.c:252
> kasan_report_error mm/kasan/report.c:351
> kasan_report+0x173/0x270 mm/kasan/report.c:409
> __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
> __list_del_entry_valid+0xda/0xf3 lib/list_debug.c:54
> __list_del_entry ./include/linux/list.h:117
> list_del_init ./include/linux/list.h:159
> device_pm_remove+0x4a/0x1e7 drivers/base/power/main.c:149
> device_del+0x599/0xa70 drivers/base/core.c:1986
> usb_disable_device+0x223/0x710 drivers/usb/core/message.c:1170
> usb_disconnect+0x285/0x7f0 drivers/usb/core/hub.c:2205
> hub_port_connect drivers/usb/core/hub.c:4838
> hub_port_connect_change drivers/usb/core/hub.c:5093
> port_event drivers/usb/core/hub.c:5199
> hub_event_impl+0x10ec/0x3440 drivers/usb/core/hub.c:5311
> hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
> process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
> process_scheduled_works kernel/workqueue.c:2173
> worker_thread+0x72e/0x10d0 kernel/workqueue.c:2249
> kthread+0x346/0x410 kernel/kthread.c:231
> ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432
>
> The buggy address belongs to the page:
> page:ffffea00018a9d00 count:0 mapcount:-127 mapping: (null)
> index:0x0
> flags: 0x100000000000000()
> raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
> raw: ffff88007fffa690 ffffea00018e6120 0000000000000002 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff880062a74300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff880062a74380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ffff880062a74400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ^
> ffff880062a74480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff880062a74500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> =================================================================
>
> Thanks!
>
>>>
>>>
>>> Hi Gustavo,
>>>
>>> With your patch I get a different crash. Not sure if it's another bug
>>> or the same one manifesting differently.
>>>
>>
>> That's the same one. It seems that the best solution is to remove the kfree
>> after the mutex_unlock and let the device resources be freed in
>> au0828_usb_disconnect.
>>
>> Please try the following patch instead.
>>
>> I appreciate your help.
>>
>> Thank you, Andrey.
>>
>> ---
>> drivers/media/usb/au0828/au0828-core.c | 1 -
>> 1 file changed, 1 deletion(-)
>>
>> diff --git a/drivers/media/usb/au0828/au0828-core.c
>> b/drivers/media/usb/au0828/au0828-core.c
>> index cd363a2..257ae0d 100644
>> --- a/drivers/media/usb/au0828/au0828-core.c
>> +++ b/drivers/media/usb/au0828/au0828-core.c
>> @@ -629,7 +629,6 @@ static int au0828_usb_probe(struct usb_interface
>> *interface,
>> pr_err("%s() au0282_dev_register failed to register on
>> V4L2\n",
>> __func__);
>> mutex_unlock(&dev->lock);
>> - kfree(dev);
>> goto done;
>> }
>>
>> --
>> 2.7.4
>>
>>
>>> au0828: recv_control_msg() Failed receiving control message, error -71.
>>> au0828: recv_control_msg() Failed receiving control message, error -71.
>>> au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
>>> usb 1-1: selecting invalid altsetting 5
>>> au0828: Failure setting usb interface0 to as5
>>> au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
>>> au0828: probe of 1-1:0.0 failed with error -22
>>> usb 1-1: USB disconnect, device number 2
>>> ==================================================================
>>> BUG: KASAN: use-after-free in __list_del_entry_valid+0xda/0xf3
>>> Read of size 8 at addr ffff8800641d0410 by task kworker/0:1/24
>>>
>>> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
>>> 4.14.0-rc5-43687-g72e555fa3d2e-dirty #105
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
>>> 01/01/2011
>>> Workqueue: usb_hub_wq hub_event
>>> Call Trace:
>>> __dump_stack lib/dump_stack.c:16
>>> dump_stack+0xc1/0x11f lib/dump_stack.c:52
>>> print_address_description+0x71/0x234 mm/kasan/report.c:252
>>> kasan_report_error mm/kasan/report.c:351
>>> kasan_report+0x173/0x270 mm/kasan/report.c:409
>>> __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
>>> __list_del_entry_valid+0xda/0xf3 lib/list_debug.c:54
>>> __list_del_entry ./include/linux/list.h:116
>>> list_del_init ./include/linux/list.h:158
>>> device_pm_remove+0x4a/0x1da drivers/base/power/main.c:149
>>> device_del+0x55f/0xa30 drivers/base/core.c:1986
>>> usb_disable_device+0x1df/0x670 drivers/usb/core/message.c:1170
>>> usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
>>> hub_port_connect drivers/usb/core/hub.c:4754
>>> hub_port_connect_change drivers/usb/core/hub.c:5009
>>> port_event drivers/usb/core/hub.c:5115
>>> hub_event+0xe09/0x2eb0 drivers/usb/core/hub.c:5195
>>> process_one_work+0x86d/0x13e0 kernel/workqueue.c:2119
>>> process_scheduled_works kernel/workqueue.c:2179
>>> worker_thread+0x689/0xea0 kernel/workqueue.c:2255
>>> kthread+0x334/0x400 kernel/kthread.c:231
>>> ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>>>
>>> The buggy address belongs to the page:
>>> page:ffffea0001907400 count:0 mapcount:-127 mapping: (null)
>>> index:0x0
>>> flags: 0x100000000000000()
>>> raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
>>> raw: ffffea00018a8f20 ffff88007fffa690 0000000000000002 0000000000000000
>>> page dumped because: kasan: bad access detected
>>>
>>> Memory state around the buggy address:
>>> ffff8800641d0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>> ffff8800641d0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>>>
>>>> ffff8800641d0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>>
>>> ^
>>> ffff8800641d0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>> ffff8800641d0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>> ==================================================================
>>>
>>> Thanks!
>>>
>>>>
>>>>
>>>> The device is typically freed on failure after trying to set
>>>> USB interface0 to as5 in function au0828_analog_register.
>>>>
>>>> Fix use-after-free by returning the error value inmediately
>>>> after failure, instead of jumping to au0828_usb_disconnect
>>>> where _dev_ is also freed.
>>>>
>>>> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
>>>> ---
>>>> drivers/media/usb/au0828/au0828-core.c | 3 +--
>>>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>>>
>>>> diff --git a/drivers/media/usb/au0828/au0828-core.c
>>>> b/drivers/media/usb/au0828/au0828-core.c
>>>> index cd363a2..b4abd90 100644
>>>> --- a/drivers/media/usb/au0828/au0828-core.c
>>>> +++ b/drivers/media/usb/au0828/au0828-core.c
>>>> @@ -630,7 +630,7 @@ static int au0828_usb_probe(struct usb_interface
>>>> *interface,
>>>> __func__);
>>>> mutex_unlock(&dev->lock);
>>>> kfree(dev);
>>>> - goto done;
>>>> + return retval;
>>>> }
>>>>
>>>> /* Digital TV */
>>>> @@ -655,7 +655,6 @@ static int au0828_usb_probe(struct usb_interface
>>>> *interface,
>>>>
>>>> retval = au0828_media_device_register(dev, usbdev);
>>>>
>>>> -done:
>>>> if (retval < 0)
>>>> au0828_usb_disconnect(interface);
>>>>
>>>> --
>>>> 2.7.4
>>>>
>>
>>
>>
>>
>>
>>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] au0828: fix use-after-free at USB probing
[not found] ` <CAAeHK+ws05W5FRuncD42MKEB5tX254baDh1cS7uT4pwq0ddfmQ@mail.gmail.com>
@ 2017-12-12 20:54 ` Gustavo A. R. Silva
0 siblings, 0 replies; 7+ messages in thread
From: Gustavo A. R. Silva @ 2017-12-12 20:54 UTC (permalink / raw)
To: Andrey Konovalov
Cc: Mauro Carvalho Chehab, Hans Verkuil, Sean Young, linux-media,
Andi Shyti, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
Hey Andrey,
Quoting Andrey Konovalov <andreyknvl@google.com>:
> On Thu, Nov 23, 2017 at 2:31 AM, Gustavo A. R. Silva
> <garsilva@embeddedor.com> wrote:
>> Hi Andrey,
>>
>> I have successfully installed and tested syzkaller with QEMU. Can you please
>> tell me how to reproduce this bug or share with me the full crash report?
>>
>> Also, can you point me out to the PoC file?
>
> Hi Gustavo,
>
> Sorry for the delay.
>
No worries.
> I've now published the USB fuzzing prototype, so here's how you can
> reproduce this:
>
> 1. Get Linux 4.15-rc3 upstream kernel
> (50c4c4e268a2d7a3e58ebb698ac74da0de40ae36).
>
> 2. Apply this patch (it adds a new interface to emulate USB devices):
> https://github.com/google/syzkaller/blob/usb-fuzzer/tools/usb/0002-usb-fuzzer-main-usb-gadget-fuzzer-driver.patch
>
> 3. Build the kernel with the attached .config (you need relatively new
> GCC to make KASAN work).
>
> 4. Run the attached reproducer.
>
> Also attaching the full kernel log.
>
Awesome. :D I'll try this.
Thank you!
--
Gustavo A. R. Silva
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-12-12 20:55 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-23 14:41 usb/media/au0828: use-after-free in au0828_rc_unregister Andrey Konovalov
2017-11-10 0:21 ` [PATCH] au0828: fix use-after-free at USB probing Gustavo A. R. Silva
2017-11-10 12:29 ` Andrey Konovalov
2017-11-10 17:35 ` Gustavo A. R. Silva
2017-11-20 18:47 ` Andrey Konovalov
2017-11-23 1:31 ` Gustavo A. R. Silva
[not found] ` <CAAeHK+ws05W5FRuncD42MKEB5tX254baDh1cS7uT4pwq0ddfmQ@mail.gmail.com>
2017-12-12 20:54 ` Gustavo A. R. Silva
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).