From: Kalle Valo <kvalo@codeaurora.org>
To: Zekun Shen <bruceshenzk@gmail.com>
Cc: Amitkumar Karwar <amitkarwar@gmail.com>,
Siva Rebbagondla <siva8118@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, brendandg@nyu.edu
Subject: Re: [PATCH] rsi_usb: Fix use-after-free in rsi_rx_done_handler
Date: Mon, 01 Nov 2021 16:06:52 +0200 [thread overview]
Message-ID: <87y2680y2r.fsf@codeaurora.org> (raw)
In-Reply-To: <YXxQL/vIiYcZUu/j@10-18-43-117.dynapool.wireless.nyu.edu> (Zekun Shen's message of "Fri, 29 Oct 2021 15:49:03 -0400")
Zekun Shen <bruceshenzk@gmail.com> writes:
> When freeing rx_cb->rx_skb, the pointer is not set to NULL,
> a later rsi_rx_done_handler call will try to read the freed
> address.
> This bug will very likley lead to double free, although
> detected early as use-after-free bug.
>
> The bug is triggerable with a compromised/malfunctional usb
> device. After applying the patch, the same input no longer
> triggers the use-after-free.
>
> Attached is the kasan report from fuzzing.
>
> BUG: KASAN: use-after-free in rsi_rx_done_handler+0x354/0x430 [rsi_usb]
> Read of size 4 at addr ffff8880188e5930 by task modprobe/231
> Call Trace:
> <IRQ>
> dump_stack+0x76/0xa0
> print_address_description.constprop.0+0x16/0x200
> ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
> ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
> __kasan_report.cold+0x37/0x7c
> ? dma_direct_unmap_page+0x90/0x110
> ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
> kasan_report+0xe/0x20
> rsi_rx_done_handler+0x354/0x430 [rsi_usb]
> __usb_hcd_giveback_urb+0x1e4/0x380
> usb_giveback_urb_bh+0x241/0x4f0
> ? __usb_hcd_giveback_urb+0x380/0x380
> ? apic_timer_interrupt+0xa/0x20
> tasklet_action_common.isra.0+0x135/0x330
> __do_softirq+0x18c/0x634
> ? handle_irq_event+0xcd/0x157
> ? handle_edge_irq+0x1eb/0x7b0
> irq_exit+0x114/0x140
> do_IRQ+0x91/0x1e0
> common_interrupt+0xf/0xf
> </IRQ>
>
> Reported-by: Zekun Shen <bruceshenzk@gmail.com>
> Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
> Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
There's no need to have the author in Reported-by tag, so I'll remove
that.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2021-11-01 14:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-29 19:49 [PATCH] rsi_usb: Fix use-after-free in rsi_rx_done_handler Zekun Shen
2021-11-01 14:06 ` Kalle Valo [this message]
2021-11-29 10:43 ` rsi: Fix use-after-free in rsi_rx_done_handler() Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y2680y2r.fsf@codeaurora.org \
--to=kvalo@codeaurora.org \
--cc=amitkarwar@gmail.com \
--cc=brendandg@nyu.edu \
--cc=bruceshenzk@gmail.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=siva8118@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.