From: "Kieronski, Milosz" <milosz.kieronski@aptiv.com>
To: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Ignacyk, Slawek" <slawek.ignacyk@aptiv.com>,
"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>
Subject: [PATCH] usb: gadget: f_ncm: Prevent use-after-free of notify_req
Date: Wed, 20 Nov 2019 10:03:48 +0000 [thread overview]
Message-ID: <20191120100327.GA11036@aptiv-dev> (raw)
When ncm_ubind() executes first then ncm->notify_req is freed before
usb_ep_free_request(). This produces use-after-free bug in ncm_close()
while we write to ncm->notify_req->buf despite the "if (!req)".
To make this sanity check working, we set ncm->notify_req to NULL
after each free.
Signed-off-by: Milosz Kieronski <milosz.kieronski@aptiv.com>
Co-developed-by: Slawek Ignacyk <slawek.ignacyk@aptiv.com>
Signed-off-by: Slawek Ignacyk <slawek.ignacyk@aptiv.com>
---
drivers/usb/gadget/function/f_ncm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c
index 2d6e76e4cffa..a1a521a69187 100644
--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -1526,10 +1526,13 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f)
kfree(f->os_desc_table);
f->os_desc_n = 0;
+ spin_lock(&ncm->lock);
if (ncm->notify_req) {
kfree(ncm->notify_req->buf);
usb_ep_free_request(ncm->notify, ncm->notify_req);
+ ncm->notify_req = NULL;
}
+ spin_unlock(&ncm->lock);
ERROR(cdev, "%s: can't bind, err %d\n", f->name, status);
@@ -1649,8 +1652,11 @@ static void ncm_unbind(struct usb_configuration *c, struct usb_function *f)
ncm_string_defs[0].id = 0;
usb_free_all_descriptors(f);
+ spin_lock(&ncm->lock);
kfree(ncm->notify_req->buf);
usb_ep_free_request(ncm->notify, ncm->notify_req);
+ ncm->notify_req = NULL;
+ spin_unlock(&ncm->lock);
}
static struct usb_function *ncm_alloc(struct usb_function_instance *fi)
--
2.17.1
reply other threads:[~2019-11-20 10:14 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191120100327.GA11036@aptiv-dev \
--to=milosz.kieronski@aptiv.com \
--cc=balbi@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=slawek.ignacyk@aptiv.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.