[PATCH 4.9 07/20] NFC: port100: fix use-after-free in port100_send_complete

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Pavel Skripkin <paskripkin@gmail.com>,
	Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>,
	Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>,
	syzbot+16bcb127fb73baeecb14@syzkaller.appspotmail.com
Subject: [PATCH 4.9 07/20] NFC: port100: fix use-after-free in port100_send_complete
Date: Mon, 14 Mar 2022 12:34:08 +0100	[thread overview]
Message-ID: <20220314112730.615677855@linuxfoundation.org> (raw)
In-Reply-To: <20220314112730.388955049@linuxfoundation.org>

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit f80cfe2f26581f188429c12bd937eb905ad3ac7b ]

Syzbot reported UAF in port100_send_complete(). The root case is in
missing usb_kill_urb() calls on error handling path of ->probe function.

port100_send_complete() accesses devm allocated memory which will be
freed on probe failure. We should kill this urbs before returning an
error from probe function to prevent reported use-after-free

Fail log:

BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26
...
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670

...

Allocated by task 1255:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
 alloc_dr drivers/base/devres.c:116 [inline]
 devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823
 devm_kzalloc include/linux/device.h:209 [inline]
 port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502

Freed by task 1255:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:236 [inline]
 __cache_free mm/slab.c:3437 [inline]
 kfree+0xf8/0x2b0 mm/slab.c:3794
 release_nodes+0x112/0x1a0 drivers/base/devres.c:501
 devres_release_all+0x114/0x190 drivers/base/devres.c:530
 really_probe+0x626/0xcc0 drivers/base/dd.c:670

Reported-and-tested-by: syzbot+16bcb127fb73baeecb14@syzkaller.appspotmail.com
Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Link: https://lore.kernel.org/r/20220308185007.6987-1-paskripkin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nfc/port100.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c
index ed65993aae96..838ec17073fd 100644
--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -1617,7 +1617,9 @@ static int port100_probe(struct usb_interface *interface,
 	nfc_digital_free_device(dev->nfc_digital_dev);
 
 error:
+	usb_kill_urb(dev->in_urb);
 	usb_free_urb(dev->in_urb);
+	usb_kill_urb(dev->out_urb);
 	usb_free_urb(dev->out_urb);
 	usb_put_dev(dev->udev);
 
-- 
2.34.1

next prev parent reply	other threads:[~2022-03-14 11:36 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-14 11:34 [PATCH 4.9 00/20] 4.9.307-rc1 review Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 01/20] net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare() Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 02/20] qed: return status of qed_iov_get_link Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 03/20] ethernet: Fix error handling in xemaclite_of_probe Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 04/20] net: ethernet: lpc_eth: Handle error for clk_enable Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 05/20] ax25: Fix NULL pointer dereference in ax25_kill_by_device Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 06/20] net/mlx5: Fix size field in bufferx_reg struct Greg Kroah-Hartman
2022-03-14 11:34 ` Greg Kroah-Hartman [this message]
2022-03-14 11:34 ` [PATCH 4.9 08/20] gpio: ts4900: Do not set DAT and OE together Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 09/20] sctp: fix kernel-infoleak for SCTP sockets Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 10/20] net-sysfs: add check for netdevice being present to speed_show Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 11/20] Revert "xen-netback: Check for hotplug-status existence before watching" Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 12/20] tracing: Ensure trace buffer is at least 4096 bytes large Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 13/20] selftests/memfd: clean up mapping in mfd_fail_write Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 14/20] ARM: Spectre-BHB: provide empty stub for non-config Greg Kroah-Hartman
2022-03-14 11:34   ` Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 15/20] staging: gdm724x: fix use after free in gdm_lte_rx() Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 16/20] KVM: arm64: Reset PMC_EL0 to avoid a panic() on systems with no PMU Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 17/20] batman-adv: Request iflink once in batadv-on-batadv check Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 18/20] batman-adv: Dont expect inter-netns unique iflink indices Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 19/20] ARM: fix Thumb2 regression with Spectre BHB Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.9 20/20] btrfs: unlock newly allocated extent buffer after error Greg Kroah-Hartman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ed65993aae9 dfblob:838ec17073f )
 OR (
bs:"[PATCH 4.9 07/20] NFC: port100: fix use-after-free in port100_send_complete" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220314112730.615677855@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=krzysztof.kozlowski@canonical.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paskripkin@gmail.com \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+16bcb127fb73baeecb14@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.