From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Udipto Goswami <quic_ugoswami@quicinc.com>
Cc: Felipe Balbi <balbi@kernel.org>,
linux-usb@vger.kernel.org,
Pratham Pratap <quic_ppratap@quicinc.com>,
Pavankumar Kondeti <quic_pkondeti@quicinc.com>,
Jack Pham <quic_jackp@quicinc.com>
Subject: Re: [PATCH] usb: f_fs: Fix use-after-free for epfile
Date: Fri, 19 Nov 2021 07:39:41 +0100 [thread overview]
Message-ID: <YZdGrfDPa5XCNTF3@kroah.com> (raw)
In-Reply-To: <1637299915-10477-1-git-send-email-quic_ugoswami@quicinc.com>
On Fri, Nov 19, 2021 at 11:01:55AM +0530, Udipto Goswami wrote:
> From: Pratham Pratap <quic_ppratap@quicinc.com>
>
> Consider a case where ffs_func_eps_disable is called from
> ffs_func_disable as part of composition switch and at the
> same time ffs_epfile_release get called from userspace.
> ffs_epfile_release will free up the read buffer and call
> ffs_data_closed which in turn destroys ffs->epfiles and
> mark it as NULL. While this was happening the driver has
> already initialized the local epfile in ffs_func_eps_disable
> which is now freed and waiting to acquire the spinlock. Once
> spinlock is acquired the driver proceeds with the stale value
> of epfile and tries to free the already freed read buffer
> causing use-after-free.
>
> Following is the illustration of the race:
>
> CPU1 CPU2
>
> ffs_func_eps_disable
> epfiles (local copy)
> ffs_epfile_release
> __ffs_epfile_read_buffer_free
> kfree(read_buffers)
> kfree(epfile)
> (epfiles still accessible
> since local copy)
> kfree(read_buffers) <use_after_free>
>
> Another possibility of user after free is with the read_buffers
> Currently, ffs_func_eps_disable & ffs_epfile_release can race,
> if ffs_epfile_release ran in between while ffs_func_eps_disable
> was executing, due to not being in any lock it can go ahead
> and free the read buffer, but since ffs_func_eps_disable
> maintains a local copy of epfiles, it will still be valid here
> which when tried to free again will cause a user_after_free.
> Following is the illustration of the case:
> CPU1 CPU2
>
> ffs_func_eps_disable
> spin_lock_irqsave
> (epfile) local copy
> ffs_epfile_release
> __ffs_epfile_read_buffer_free
> kfree(epfile->read_buffer)
> __ffs_epfile_read_buffer_free
> kfree(epfile->read_buffer)
> <<use_after_free>>
>
> Fix this races by taking epfile local copy & assigning it under
> spinlock and if epfile(local) is null then update it in ffs->epfiles
> then finally destroy it.
>
> Change-Id: I85b1a0aea88c0033fbeef4c5db5104caac211540
Always run scripts/checkpatch.pl on your changes so you do not get
grumpy maintainers asking you to run scripts/checkpatch.pl on your
changes.
prev parent reply other threads:[~2021-11-19 6:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-19 5:31 [PATCH] usb: f_fs: Fix use-after-free for epfile Udipto Goswami
2021-11-19 6:39 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YZdGrfDPa5XCNTF3@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=balbi@kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=quic_jackp@quicinc.com \
--cc=quic_pkondeti@quicinc.com \
--cc=quic_ppratap@quicinc.com \
--cc=quic_ugoswami@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.