From: Alan Stern <stern@rowland.harvard.edu>
To: Oliver Neukum <oneukum@suse.com>
Cc: keescook@chromium.org, <gustavo@embeddedor.com>,
<andreyknvl@google.com>, <syzkaller-bugs@googlegroups.com>,
<gregkh@linuxfoundation.org>,
syzbot <syzbot+cfe6d93e0abab9a0de05@syzkaller.appspotmail.com>,
<linux-kernel@vger.kernel.org>, <linux-usb@vger.kernel.org>
Subject: Re: KASAN: use-after-free Read in iowarrior_disconnect
Date: Tue, 20 Aug 2019 11:14:24 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1908201110510.1573-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <1566311916.11678.26.camel@suse.com>
On Tue, 20 Aug 2019, Oliver Neukum wrote:
> Am Dienstag, den 20.08.2019, 10:18 -0400 schrieb Alan Stern:
> > On Mon, 19 Aug 2019, Oliver Neukum wrote:
> >
> > > Am Montag, den 19.08.2019, 07:48 -0700 schrieb syzbot:
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit: d0847550 usb-fuzzer: main usb gadget fuzzer driver
> > > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=139be302600000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=dbc9c80cc095da19
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=cfe6d93e0abab9a0de05
> > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12fe6b02600000
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1548189c600000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: syzbot+cfe6d93e0abab9a0de05@syzkaller.appspotmail.com
> > > >
> > >
> > > #syz test: https://github.com/google/kasan.git d0847550
> >
> > There's no need for us to work at cross purposes on this. We can go
> > with your approach.
> >
> > However, the code is more complicated than your patch accounts for.
> > The wait can finish in several different ways:
> >
> > (1) The control URB succeeds and the interrupt URB gets an
> > acknowledgment.
> >
> > (2) The control URB completes with an error.
> >
> > (3) The wait times out.
> >
> > (4) A disconnect occurs.
>
> I absolutely agree. There is something quite wrong in this driver.
> Unfortunately this is likely exploitable by a malicious gadget,
> so just ignoring this is a bad option. I will need to go through the
> logic. Or do you want to have a shot at it?
>
> The patch was really only for testing. I wanted to know whether
> I was hitting this very issue. This driver will need more surgery.
If you would like to work on it, that's fine with me.
Alan Stern
next prev parent reply other threads:[~2019-08-20 15:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-19 14:48 KASAN: use-after-free Read in iowarrior_disconnect syzbot
2019-08-19 15:24 ` Oliver Neukum
2019-08-19 15:36 ` syzbot
2019-08-20 14:18 ` Alan Stern
2019-08-20 14:24 ` Alan Stern
2019-08-20 14:38 ` Oliver Neukum
2019-08-20 14:42 ` Oliver Neukum
2019-08-20 15:14 ` Alan Stern [this message]
2019-11-19 14:57 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44L0.1908201110510.1573-100000@iolanthe.rowland.org \
--to=stern@rowland.harvard.edu \
--cc=andreyknvl@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=syzbot+cfe6d93e0abab9a0de05@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).