[PATCH] ieee802154: atusb: fix use-after-free at disconnect

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ieee802154: atusb: fix use-after-free at disconnect
@ 2019-09-19 12:12 Johan Hovold
  2019-09-19 12:32 ` KASAN: use-after-free Read in atusb_disconnect syzbot
  2019-09-19 14:56 ` [PATCH] ieee802154: atusb: fix use-after-free at disconnect Stefan Schmidt
  0 siblings, 2 replies; 3+ messages in thread
From: Johan Hovold @ 2019-09-19 12:12 UTC (permalink / raw)
  To: Stefan Schmidt
  Cc: Alexander Aring, David S. Miller, linux-wpan, netdev,
	linux-kernel, andreyknvl, syzkaller-bugs, Johan Hovold, stable,
	syzbot+f4509a9138a1472e7e80

The disconnect callback was accessing the hardware-descriptor private
data after having having freed it.

Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver")
Cc: stable <stable@vger.kernel.org>     # 4.2
Cc: Alexander Aring <alex.aring@gmail.com>
Reported-by: syzbot+f4509a9138a1472e7e80@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
---

#syz test: https://github.com/google/kasan.git f0df5c1b

 drivers/net/ieee802154/atusb.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
index ceddb424f887..0dd0ba915ab9 100644
--- a/drivers/net/ieee802154/atusb.c
+++ b/drivers/net/ieee802154/atusb.c
@@ -1137,10 +1137,11 @@ static void atusb_disconnect(struct usb_interface *interface)
 
 	ieee802154_unregister_hw(atusb->hw);
 
+	usb_put_dev(atusb->usb_dev);
+
 	ieee802154_free_hw(atusb->hw);
 
 	usb_set_intfdata(interface, NULL);
-	usb_put_dev(atusb->usb_dev);
 
 	pr_debug("%s done\n", __func__);
 }
-- 
2.23.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: KASAN: use-after-free Read in atusb_disconnect
  2019-09-19 12:12 [PATCH] ieee802154: atusb: fix use-after-free at disconnect Johan Hovold
@ 2019-09-19 12:32 ` syzbot
  2019-09-19 14:56 ` [PATCH] ieee802154: atusb: fix use-after-free at disconnect Stefan Schmidt
  1 sibling, 0 replies; 3+ messages in thread
From: syzbot @ 2019-09-19 12:32 UTC (permalink / raw)
  To: alex.aring, andreyknvl, davem, johan, linux-kernel, linux-wpan,
	netdev, stable, stefan, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger  
crash:

Reported-and-tested-by:  
syzbot+f4509a9138a1472e7e80@syzkaller.appspotmail.com

Tested on:

commit:         f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=f4509a9138a1472e7e80
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10f3ebb5600000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] ieee802154: atusb: fix use-after-free at disconnect
  2019-09-19 12:12 [PATCH] ieee802154: atusb: fix use-after-free at disconnect Johan Hovold
  2019-09-19 12:32 ` KASAN: use-after-free Read in atusb_disconnect syzbot
@ 2019-09-19 14:56 ` Stefan Schmidt
  1 sibling, 0 replies; 3+ messages in thread
From: Stefan Schmidt @ 2019-09-19 14:56 UTC (permalink / raw)
  To: Johan Hovold
  Cc: Alexander Aring, David S. Miller, linux-wpan, netdev,
	linux-kernel, andreyknvl, syzkaller-bugs, stable,
	syzbot+f4509a9138a1472e7e80

Hello.

On 19.09.19 14:12, Johan Hovold wrote:
> The disconnect callback was accessing the hardware-descriptor private
> data after having having freed it.
> 
> Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver")
> Cc: stable <stable@vger.kernel.org>     # 4.2
> Cc: Alexander Aring <alex.aring@gmail.com>
> Reported-by: syzbot+f4509a9138a1472e7e80@syzkaller.appspotmail.com
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
> 
> #syz test: https://github.com/google/kasan.git f0df5c1b
> 
>  drivers/net/ieee802154/atusb.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
> index ceddb424f887..0dd0ba915ab9 100644
> --- a/drivers/net/ieee802154/atusb.c
> +++ b/drivers/net/ieee802154/atusb.c
> @@ -1137,10 +1137,11 @@ static void atusb_disconnect(struct usb_interface *interface)
>  
>  	ieee802154_unregister_hw(atusb->hw);
>  
> +	usb_put_dev(atusb->usb_dev);
> +
>  	ieee802154_free_hw(atusb->hw);
>  
>  	usb_set_intfdata(interface, NULL);
> -	usb_put_dev(atusb->usb_dev);
>  
>  	pr_debug("%s done\n", __func__);
>  }
> 


This patch has been applied to the wpan tree and will be
part of the next pull request to net.

Thanks a lot for having a look at this!

regards
Stefan Schmidt

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-09-19 14:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-19 12:12 [PATCH] ieee802154: atusb: fix use-after-free at disconnect Johan Hovold
2019-09-19 12:32 ` KASAN: use-after-free Read in atusb_disconnect syzbot
2019-09-19 14:56 ` [PATCH] ieee802154: atusb: fix use-after-free at disconnect Stefan Schmidt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.