Re: KASAN: use-after-free Read in usbhid_close (3)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Julian Squires <julian@cipht.net>,
	Hans de Goede <hdegoede@redhat.com>,
	Jiri Kosina <jikos@kernel.org>,
	Benjamin Tissoires <benjamin.tissoires@redhat.com>,
	syzbot <syzbot+7bf5a7b0f0a1f9446f4c@syzkaller.appspotmail.com>,
	linux-input@vger.kernel.org, andreyknvl@google.com,
	gregkh@linuxfoundation.org, ingrassia@epigenesys.com,
	Kernel development list <linux-kernel@vger.kernel.org>,
	USB list <linux-usb@vger.kernel.org>,
	syzkaller-bugs@googlegroups.com, Ping Cheng <pingc@wacom.com>,
	pinglinux@gmail.com, killertofu@gmail.com
Subject: Re: KASAN: use-after-free Read in usbhid_close (3)
Date: Sat, 18 Apr 2020 21:13:44 -0700	[thread overview]
Message-ID: <20200419041344.GC166864@dtor-ws> (raw)
In-Reply-To: <20200419040944.GB166864@dtor-ws>

On Sat, Apr 18, 2020 at 09:09:44PM -0700, Dmitry Torokhov wrote:
> Hi Alan,
> 
> On Sat, Apr 18, 2020 at 10:16:32PM -0400, Alan Stern wrote:
> > linux-input people:
> > 
> > syzbot has found a bug related to USB/HID/input, and I have narrowed it
> > down to the wacom driver.  As far as I can tell, the problem is caused
> > the fact that drivers/hid/wacom_sys.c calls input_register_device()
> > in several places, but it never calls input_unregister_device().
> > 
> > I know very little about the input subsystem, but this certainly seems 
> > like a bug.
> 
> Wacom driver uses devm_input_allocate_device(), so unregister should
> happen automatically on device removal once we exit wacom_probe().
> 
> > 
> > When the device is unplugged, the disconnect pathway doesn't call
> > hid_hw_close().  That routine doesn't get called until the user closes
> > the device file (which can be long after the device is gone and
> > hid_hw_stop() has run).  Then usbhid_close() gets a use-after-free
> > error when it tries to access data structures that were deallocated by
> > usbhid_stop().  No doubt there are other problems too, but this is
> > the one that syzbot found.
> 
> Unregistering the input device should result in calling wacom_close()
> (if device was previously opened), which, as far as I can tell, calls
> hid_hw_close().
> 
> I wonder if it is valid to call hid_hw_stop() before hid_hw_close()?
> 
> It could be that we again get confused by the "easiness" of devm APIs
> and completely screwing up unwind order.

Let's also add Ping and Jason to the conversation...

-- 
Dmitry

next prev parent reply	other threads:[~2020-04-19  4:13 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-07 15:26 KASAN: use-after-free Read in usbhid_close (3) syzbot
2020-04-12 16:37 ` syzbot
2020-04-17 19:15   ` Alan Stern
2020-04-17 20:15     ` syzbot
2020-04-18  1:30       ` Alan Stern
2020-04-18  1:41         ` syzbot
2020-04-18 19:39           ` Alan Stern
2020-04-18 19:52             ` syzbot
2020-04-18 20:20               ` Alan Stern
2020-04-18 20:32                 ` syzbot
2020-04-19  1:34                   ` Alan Stern
2020-04-19  1:46                     ` syzbot
2020-04-19  2:16                       ` Alan Stern
2020-04-19  4:09                         ` Dmitry Torokhov
2020-04-19  4:13                           ` Dmitry Torokhov [this message]
2020-04-19 14:07                             ` Alan Stern
2020-04-19 17:18                               ` Dmitry Torokhov
2020-04-19 22:42                                 ` Alan Stern
2020-04-22 15:02                                   ` Alan Stern
2020-04-22 15:21                                     ` syzbot
2020-04-23  9:59                                     ` Jiri Kosina

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200419041344.GC166864@dtor-ws \
    --to=dmitry.torokhov@gmail.com \
    --cc=andreyknvl@google.com \
    --cc=benjamin.tissoires@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hdegoede@redhat.com \
    --cc=ingrassia@epigenesys.com \
    --cc=jikos@kernel.org \
    --cc=julian@cipht.net \
    --cc=killertofu@gmail.com \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=pingc@wacom.com \
    --cc=pinglinux@gmail.com \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+7bf5a7b0f0a1f9446f4c@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.