usb/media/em28xx: use-after-free in em28xx_dvb_fini

usb/media/em28xx: use-after-free in em28xx_dvb_fini

[Andrey Konovalov]

Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).

em28xx 1-1:2.0: New device a  @ 480 Mbps (eb1a:2801, interface 0, class 0)
em28xx 1-1:2.0: Audio interface 0 found (Vendor Class)
em28xx 1-1:2.0: chip ID is em2860
em28xx 1-1:2.0: Config register raw data: 0x22
em28xx 1-1:2.0: I2S Audio (3 sample rate(s))
em28xx 1-1:2.0: No AC97 audio processor
em28xx 1-1:2.0: Binding audio extension
em28xx 1-1:2.0: em28xx-audio.c: Copyright (C) 2006 Markus Rechberger
em28xx 1-1:2.0: em28xx-audio.c: Copyright (C) 2007-2016 Mauro Carvalho Chehab
em28xx 1-1:2.0: alt 0 doesn't exist on interface 7
usb 1-1: USB disconnect, device number 2
em28xx 1-1:2.0: Disconnecting
em28xx 1-1:2.0: Closing audio extension
em28xx 1-1:2.0: Freeing device
==================================================================
BUG: KASAN: use-after-free in em28xx_dvb_fini+0x74b/0x8e0
Read of size 1 at addr ffff880069d2c12c by task kworker/0:1/24

CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
4.14.0-rc7-44290-gf28444df2601-dirty #52
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0xe1/0x157 lib/dump_stack.c:52
 print_address_description+0x71/0x234 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x173/0x270 mm/kasan/report.c:409
 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
 em28xx_dvb_fini+0x74b/0x8e0 drivers/media/usb/em28xx/em28xx-dvb.c:2076
 em28xx_close_extension+0x71/0x220 drivers/media/usb/em28xx/em28xx-core.c:1122
 em28xx_usb_disconnect+0xd7/0x140 drivers/media/usb/em28xx/em28xx-cards.c:3763
 usb_unbind_interface+0x1b6/0x950 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x529/0x5f0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2fc/0x4b0 drivers/base/bus.c:565
 device_del+0x591/0xa70 drivers/base/core.c:1985
 usb_disable_device+0x223/0x710 drivers/usb/core/message.c:1170
 usb_disconnect+0x285/0x7f0 drivers/usb/core/hub.c:2205
 hub_port_connect drivers/usb/core/hub.c:4838
 hub_port_connect_change drivers/usb/core/hub.c:5093
 port_event drivers/usb/core/hub.c:5199
 hub_event_impl+0x10ec/0x3440 drivers/usb/core/hub.c:5311
 hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the page:
page:ffffea0001a74b00 count:0 mapcount:-127 mapping:          (null) index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
raw: ffffea00019f0320 ffff88007fffa690 0000000000000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880069d2c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff880069d2c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff880069d2c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                  ^
 ffff880069d2c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff880069d2c200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini

[Andrey Konovalov]

On Fri, Nov 3, 2017 at 3:44 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
>
> em28xx 1-1:2.0: New device a  @ 480 Mbps (eb1a:2801, interface 0, class 0)
> em28xx 1-1:2.0: Audio interface 0 found (Vendor Class)
> em28xx 1-1:2.0: chip ID is em2860
> em28xx 1-1:2.0: Config register raw data: 0x22
> em28xx 1-1:2.0: I2S Audio (3 sample rate(s))
> em28xx 1-1:2.0: No AC97 audio processor
> em28xx 1-1:2.0: Binding audio extension
> em28xx 1-1:2.0: em28xx-audio.c: Copyright (C) 2006 Markus Rechberger
> em28xx 1-1:2.0: em28xx-audio.c: Copyright (C) 2007-2016 Mauro Carvalho Chehab
> em28xx 1-1:2.0: alt 0 doesn't exist on interface 7
> usb 1-1: USB disconnect, device number 2
> em28xx 1-1:2.0: Disconnecting
> em28xx 1-1:2.0: Closing audio extension
> em28xx 1-1:2.0: Freeing device
> ==================================================================
> BUG: KASAN: use-after-free in em28xx_dvb_fini+0x74b/0x8e0
> Read of size 1 at addr ffff880069d2c12c by task kworker/0:1/24
>
> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
> 4.14.0-rc7-44290-gf28444df2601-dirty #52
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
>  __dump_stack lib/dump_stack.c:16
>  dump_stack+0xe1/0x157 lib/dump_stack.c:52
>  print_address_description+0x71/0x234 mm/kasan/report.c:252
>  kasan_report_error mm/kasan/report.c:351
>  kasan_report+0x173/0x270 mm/kasan/report.c:409
>  __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
>  em28xx_dvb_fini+0x74b/0x8e0 drivers/media/usb/em28xx/em28xx-dvb.c:2076
>  em28xx_close_extension+0x71/0x220 drivers/media/usb/em28xx/em28xx-core.c:1122
>  em28xx_usb_disconnect+0xd7/0x140 drivers/media/usb/em28xx/em28xx-cards.c:3763
>  usb_unbind_interface+0x1b6/0x950 drivers/usb/core/driver.c:423
>  __device_release_driver drivers/base/dd.c:861
>  device_release_driver_internal+0x529/0x5f0 drivers/base/dd.c:893
>  device_release_driver+0x1e/0x30 drivers/base/dd.c:918
>  bus_remove_device+0x2fc/0x4b0 drivers/base/bus.c:565
>  device_del+0x591/0xa70 drivers/base/core.c:1985
>  usb_disable_device+0x223/0x710 drivers/usb/core/message.c:1170
>  usb_disconnect+0x285/0x7f0 drivers/usb/core/hub.c:2205
>  hub_port_connect drivers/usb/core/hub.c:4838
>  hub_port_connect_change drivers/usb/core/hub.c:5093
>  port_event drivers/usb/core/hub.c:5199
>  hub_event_impl+0x10ec/0x3440 drivers/usb/core/hub.c:5311
>  hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
>  process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
>  worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
>  kthread+0x346/0x410 kernel/kthread.c:231
>  ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>
> The buggy address belongs to the page:
> page:ffffea0001a74b00 count:0 mapcount:-127 mapping:          (null) index:0x0
> flags: 0x100000000000000()
> raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
> raw: ffffea00019f0320 ffff88007fffa690 0000000000000002 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  ffff880069d2c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>  ffff880069d2c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>ffff880069d2c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>                                   ^
>  ffff880069d2c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>  ffff880069d2c200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ==================================================================

-linux-kernel@vger.kernel.or
+linux-kernel@vger.kernel.org

Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini

[Gustavo A. R. Silva]

Hi Andrey,

Could you please try this patch?

Thank you

Gustavo A. R. Silva

---
 drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
index 4a7db62..fc3fb92 100644
--- a/drivers/media/usb/em28xx/em28xx-dvb.c
+++ b/drivers/media/usb/em28xx/em28xx-dvb.c
@@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
 	struct em28xx_dvb *dvb;
 	struct i2c_client *client;
 
+	if (!dev)
+		return 0;
+
 	if (dev->is_audio_only) {
 		/* Shouldn't initialize IR for this interface */
 		return 0;
-- 
2.7.4

Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini

[Andrey Konovalov]

On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva
<garsilva@embeddedor.com> wrote:
> Hi Andrey,
>
> Could you please try this patch?
>
> Thank you
>
> Gustavo A. R. Silva

Hi Gustavo,

Still see the crash with your patch.

Thanks!

>
> ---
>  drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
> index 4a7db62..fc3fb92 100644
> --- a/drivers/media/usb/em28xx/em28xx-dvb.c
> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c
> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
>         struct em28xx_dvb *dvb;
>         struct i2c_client *client;
>
> +       if (!dev)
> +               return 0;
> +
>         if (dev->is_audio_only) {
>                 /* Shouldn't initialize IR for this interface */
>                 return 0;
> --
> 2.7.4
>

Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini

[Gustavo A. R. Silva]

Quoting Andrey Konovalov <andreyknvl@google.com>:

> On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva
> <garsilva@embeddedor.com> wrote:
>> Hi Andrey,
>>
>> Could you please try this patch?
>>
>> Thank you
>>
>> Gustavo A. R. Silva
>
> Hi Gustavo,
>
> Still see the crash with your patch.
>
> Thanks!
>

Thank you, Andrey. I will look into this further.

--
Gustavo A. R. Silva

>>
>> ---
>>  drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
>>  1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c  
>> b/drivers/media/usb/em28xx/em28xx-dvb.c
>> index 4a7db62..fc3fb92 100644
>> --- a/drivers/media/usb/em28xx/em28xx-dvb.c
>> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c
>> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
>>         struct em28xx_dvb *dvb;
>>         struct i2c_client *client;
>>
>> +       if (!dev)
>> +               return 0;
>> +
>>         if (dev->is_audio_only) {
>>                 /* Shouldn't initialize IR for this interface */
>>                 return 0;
>> --
>> 2.7.4
>>

Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini

[Andrey Konovalov]

On Wed, Nov 8, 2017 at 5:03 PM, Gustavo A. R. Silva
<garsilva@embeddedor.com> wrote:
>
> Quoting Andrey Konovalov <andreyknvl@google.com>:
>
>> On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva
>> <garsilva@embeddedor.com> wrote:
>>>
>>> Hi Andrey,
>>>
>>> Could you please try this patch?
>>>
>>> Thank you
>>>
>>> Gustavo A. R. Silva
>>
>>
>> Hi Gustavo,
>>
>> Still see the crash with your patch.
>>
>> Thanks!
>>
>
> Thank you, Andrey. I will look into this further.

Since I'm able to reproduce this, I can apply a patch with debug
printk's or something similar and run the reproducer. Send me a patch
if you think it might help.

>
> --
> Gustavo A. R. Silva
>
>
>>>
>>> ---
>>>  drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
>>>  1 file changed, 3 insertions(+)
>>>
>>> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c
>>> b/drivers/media/usb/em28xx/em28xx-dvb.c
>>> index 4a7db62..fc3fb92 100644
>>> --- a/drivers/media/usb/em28xx/em28xx-dvb.c
>>> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c
>>> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
>>>         struct em28xx_dvb *dvb;
>>>         struct i2c_client *client;
>>>
>>> +       if (!dev)
>>> +               return 0;
>>> +
>>>         if (dev->is_audio_only) {
>>>                 /* Shouldn't initialize IR for this interface */
>>>                 return 0;
>>> --
>>> 2.7.4
>>>
>
>
>
>
>
>

Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini

[Gustavo A. R. Silva]

Quoting Andrey Konovalov <andreyknvl@google.com>:

> On Wed, Nov 8, 2017 at 5:03 PM, Gustavo A. R. Silva
> <garsilva@embeddedor.com> wrote:
>>
>> Quoting Andrey Konovalov <andreyknvl@google.com>:
>>
>>> On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva
>>> <garsilva@embeddedor.com> wrote:
>>>>
>>>> Hi Andrey,
>>>>
>>>> Could you please try this patch?
>>>>
>>>> Thank you
>>>>
>>>> Gustavo A. R. Silva
>>>
>>>
>>> Hi Gustavo,
>>>
>>> Still see the crash with your patch.
>>>
>>> Thanks!
>>>
>>
>> Thank you, Andrey. I will look into this further.
>
> Since I'm able to reproduce this, I can apply a patch with debug
> printk's or something similar and run the reproducer. Send me a patch
> if you think it might help.
>

Awesome.

I'm pretty sure this bug is related to other issues like this one:  
https://groups.google.com/forum/#!topic/syzkaller/FnJq_QkwCLQ

em28xx is an old driver and it might require some refactoring in order  
to fix such issues.

I appreciate your help.

Thank you
--
Gustavo A. R. Silva

>>
>>
>>>>
>>>> ---
>>>>  drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
>>>>  1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c
>>>> b/drivers/media/usb/em28xx/em28xx-dvb.c
>>>> index 4a7db62..fc3fb92 100644
>>>> --- a/drivers/media/usb/em28xx/em28xx-dvb.c
>>>> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c
>>>> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
>>>>         struct em28xx_dvb *dvb;
>>>>         struct i2c_client *client;
>>>>
>>>> +       if (!dev)
>>>> +               return 0;
>>>> +
>>>>         if (dev->is_audio_only) {
>>>>                 /* Shouldn't initialize IR for this interface */
>>>>                 return 0;
>>>> --
>>>> 2.7.4
>>>>
>>
>>
>>
>>
>>
>>