* [PATCH v2 0/2] usb: gadget: use after free in dev_config
@ 2021-12-30 4:38 Hangyu Hua
2021-12-30 4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
2021-12-30 4:38 ` [PATCH v2 2/2] usb: gadget: clear related members when goto fail Hangyu Hua
0 siblings, 2 replies; 5+ messages in thread
From: Hangyu Hua @ 2021-12-30 4:38 UTC (permalink / raw)
To: balbi, gregkh, axboe, stern, jj251510319013, dan.carpenter
Cc: linux-usb, linux-kernel, Hangyu Hua
There are two bugs:
dev->buf does not need to be released if it already exists before
executing dev_config.
dev->config and dev->hs_config and dev->dev need to be cleaned if
dev_config fails to avoid UAF.
v2:
1. break one patch up into two separate patches.
2. use "fail:" to clear all members.
Hangyu Hua (2):
usb: gadget: don't release an existing dev->buf
usb: gadget: clear related members when goto fail
drivers/usb/gadget/legacy/inode.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--
2.25.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf
2021-12-30 4:38 [PATCH v2 0/2] usb: gadget: use after free in dev_config Hangyu Hua
@ 2021-12-30 4:38 ` Hangyu Hua
2021-12-30 11:03 ` Greg KH
2021-12-30 4:38 ` [PATCH v2 2/2] usb: gadget: clear related members when goto fail Hangyu Hua
1 sibling, 1 reply; 5+ messages in thread
From: Hangyu Hua @ 2021-12-30 4:38 UTC (permalink / raw)
To: balbi, gregkh, axboe, stern, jj251510319013, dan.carpenter
Cc: linux-usb, linux-kernel, Hangyu Hua
dev->buf does not need to be released if it already exists before
executing dev_config.
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
drivers/usb/gadget/legacy/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 3b58f4fc0a80..564352035ac1 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1826,8 +1826,9 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
spin_lock_irq (&dev->lock);
value = -EINVAL;
if (dev->buf) {
+ spin_unlock_irq(&dev->lock);
kfree(kbuf);
- goto fail;
+ return value;
}
dev->buf = kbuf;
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v2 2/2] usb: gadget: clear related members when goto fail
2021-12-30 4:38 [PATCH v2 0/2] usb: gadget: use after free in dev_config Hangyu Hua
2021-12-30 4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
@ 2021-12-30 4:38 ` Hangyu Hua
1 sibling, 0 replies; 5+ messages in thread
From: Hangyu Hua @ 2021-12-30 4:38 UTC (permalink / raw)
To: balbi, gregkh, axboe, stern, jj251510319013, dan.carpenter
Cc: linux-usb, linux-kernel, Hangyu Hua
dev->config and dev->hs_config and dev->dev need to be cleaned if
dev_config fails to avoid UAF.
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
drivers/usb/gadget/legacy/inode.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 564352035ac1..c03ac0272e7d 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1847,7 +1847,7 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
total = le16_to_cpu(dev->hs_config->wTotalLength);
if (!is_valid_config(dev->hs_config, total) ||
total > length - USB_DT_DEVICE_SIZE)
- goto fail;
+ goto fail1;
kbuf += total;
length -= total;
} else {
@@ -1858,12 +1858,12 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
/* device descriptor (tweaked for paranoia) */
if (length != USB_DT_DEVICE_SIZE)
- goto fail;
+ goto fail1;
dev->dev = (void *)kbuf;
if (dev->dev->bLength != USB_DT_DEVICE_SIZE
|| dev->dev->bDescriptorType != USB_DT_DEVICE
|| dev->dev->bNumConfigurations != 1)
- goto fail;
+ goto fail2;
dev->dev->bcdUSB = cpu_to_le16 (0x0200);
/* triggers gadgetfs_bind(); then we can enumerate. */
@@ -1875,6 +1875,9 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
value = usb_gadget_probe_driver(&gadgetfs_driver);
if (value != 0) {
+ dev->dev = NULL
+ dev->hs_config = NULL;
+ dev->config = NULL;
kfree (dev->buf);
dev->buf = NULL;
} else {
@@ -1892,7 +1895,12 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
}
return value;
+fail2:
+ dev->dev = NULL;
+fail1:
+ dev->hs_config = NULL;
fail:
+ dev->config = NULL;
spin_unlock_irq (&dev->lock);
pr_debug ("%s: %s fail %zd, %p\n", shortname, __func__, value, dev);
kfree (dev->buf);
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf
2021-12-30 4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
@ 2021-12-30 11:03 ` Greg KH
2021-12-31 1:44 ` Hangyu Hua
0 siblings, 1 reply; 5+ messages in thread
From: Greg KH @ 2021-12-30 11:03 UTC (permalink / raw)
To: Hangyu Hua
Cc: balbi, axboe, stern, jj251510319013, dan.carpenter, linux-usb,
linux-kernel
On Thu, Dec 30, 2021 at 12:38:14PM +0800, Hangyu Hua wrote:
> dev->buf does not need to be released if it already exists before
> executing dev_config.
>
> Acked-by: Alan Stern <stern@rowland.harvard.edu>
I missed this, where did Alan ack this patch?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf
2021-12-30 11:03 ` Greg KH
@ 2021-12-31 1:44 ` Hangyu Hua
0 siblings, 0 replies; 5+ messages in thread
From: Hangyu Hua @ 2021-12-31 1:44 UTC (permalink / raw)
To: Greg KH
Cc: balbi, axboe, stern, jj251510319013, dan.carpenter, linux-usb,
linux-kernel
I misunderstood the meaning of Alan. He didn't ack this patch. We stil
disscuss about this. I am sorry.
On 2021/12/30 下午7:03, Greg KH wrote:
> On Thu, Dec 30, 2021 at 12:38:14PM +0800, Hangyu Hua wrote:
>> dev->buf does not need to be released if it already exists before
>> executing dev_config.
>>
>> Acked-by: Alan Stern <stern@rowland.harvard.edu>
>
> I missed this, where did Alan ack this patch?
>
> thanks,
>
> greg k-h
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-12-31 1:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-30 4:38 [PATCH v2 0/2] usb: gadget: use after free in dev_config Hangyu Hua
2021-12-30 4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
2021-12-30 11:03 ` Greg KH
2021-12-31 1:44 ` Hangyu Hua
2021-12-30 4:38 ` [PATCH v2 2/2] usb: gadget: clear related members when goto fail Hangyu Hua
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.