[PATCH v2 0/2] usb: gadget: use after free in dev

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2 0/2] usb: gadget: use after free in dev_config
@ 2021-12-30  4:38 Hangyu Hua
  2021-12-30  4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
  2021-12-30  4:38 ` [PATCH v2 2/2] usb: gadget: clear related members when goto fail Hangyu Hua
  0 siblings, 2 replies; 5+ messages in thread
From: Hangyu Hua @ 2021-12-30  4:38 UTC (permalink / raw)
  To: balbi, gregkh, axboe, stern, jj251510319013, dan.carpenter
  Cc: linux-usb, linux-kernel, Hangyu Hua

There are two bugs:
dev->buf does not need to be released if it already exists before
executing dev_config.
dev->config and dev->hs_config and dev->dev need to be cleaned if
dev_config fails to avoid UAF.

v2:
1. break one patch up into two separate patches.
2. use "fail:" to clear all members.

Hangyu Hua (2):
  usb: gadget: don't release an existing dev->buf
  usb: gadget: clear related members when goto fail

 drivers/usb/gadget/legacy/inode.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

-- 
2.25.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf
  2021-12-30  4:38 [PATCH v2 0/2] usb: gadget: use after free in dev_config Hangyu Hua
@ 2021-12-30  4:38 ` Hangyu Hua
  2021-12-30 11:03   ` Greg KH
  2021-12-30  4:38 ` [PATCH v2 2/2] usb: gadget: clear related members when goto fail Hangyu Hua
  1 sibling, 1 reply; 5+ messages in thread
From: Hangyu Hua @ 2021-12-30  4:38 UTC (permalink / raw)
  To: balbi, gregkh, axboe, stern, jj251510319013, dan.carpenter
  Cc: linux-usb, linux-kernel, Hangyu Hua

dev->buf does not need to be released if it already exists before
executing dev_config.

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 drivers/usb/gadget/legacy/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 3b58f4fc0a80..564352035ac1 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1826,8 +1826,9 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 	spin_lock_irq (&dev->lock);
 	value = -EINVAL;
 	if (dev->buf) {
+		spin_unlock_irq(&dev->lock);
 		kfree(kbuf);
-		goto fail;
+		return value;
 	}
 	dev->buf = kbuf;
 
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf
  2021-12-30  4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
@ 2021-12-30 11:03   ` Greg KH
  2021-12-31  1:44     ` Hangyu Hua
  0 siblings, 1 reply; 5+ messages in thread
From: Greg KH @ 2021-12-30 11:03 UTC (permalink / raw)
  To: Hangyu Hua
  Cc: balbi, axboe, stern, jj251510319013, dan.carpenter, linux-usb,
	linux-kernel

On Thu, Dec 30, 2021 at 12:38:14PM +0800, Hangyu Hua wrote:
> dev->buf does not need to be released if it already exists before
> executing dev_config.
> 
> Acked-by: Alan Stern <stern@rowland.harvard.edu>

I missed this, where did Alan ack this patch?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf
  2021-12-30 11:03   ` Greg KH
@ 2021-12-31  1:44     ` Hangyu Hua
  0 siblings, 0 replies; 5+ messages in thread
From: Hangyu Hua @ 2021-12-31  1:44 UTC (permalink / raw)
  To: Greg KH
  Cc: balbi, axboe, stern, jj251510319013, dan.carpenter, linux-usb,
	linux-kernel

I misunderstood the meaning of Alan. He didn't ack this patch. We stil 
disscuss about this. I am sorry.

On 2021/12/30 下午7:03, Greg KH wrote:
> On Thu, Dec 30, 2021 at 12:38:14PM +0800, Hangyu Hua wrote:
>> dev->buf does not need to be released if it already exists before
>> executing dev_config.
>>
>> Acked-by: Alan Stern <stern@rowland.harvard.edu>
> 
> I missed this, where did Alan ack this patch?
> 
> thanks,
> 
> greg k-h
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2 2/2] usb: gadget: clear related members when goto fail
  2021-12-30  4:38 [PATCH v2 0/2] usb: gadget: use after free in dev_config Hangyu Hua
  2021-12-30  4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
@ 2021-12-30  4:38 ` Hangyu Hua
  1 sibling, 0 replies; 5+ messages in thread
From: Hangyu Hua @ 2021-12-30  4:38 UTC (permalink / raw)
  To: balbi, gregkh, axboe, stern, jj251510319013, dan.carpenter
  Cc: linux-usb, linux-kernel, Hangyu Hua

dev->config and dev->hs_config and dev->dev need to be cleaned if
dev_config fails to avoid UAF.

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 drivers/usb/gadget/legacy/inode.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 564352035ac1..c03ac0272e7d 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1847,7 +1847,7 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 		total = le16_to_cpu(dev->hs_config->wTotalLength);
 		if (!is_valid_config(dev->hs_config, total) ||
 				total > length - USB_DT_DEVICE_SIZE)
-			goto fail;
+			goto fail1;
 		kbuf += total;
 		length -= total;
 	} else {
@@ -1858,12 +1858,12 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 
 	/* device descriptor (tweaked for paranoia) */
 	if (length != USB_DT_DEVICE_SIZE)
-		goto fail;
+		goto fail1;
 	dev->dev = (void *)kbuf;
 	if (dev->dev->bLength != USB_DT_DEVICE_SIZE
 			|| dev->dev->bDescriptorType != USB_DT_DEVICE
 			|| dev->dev->bNumConfigurations != 1)
-		goto fail;
+		goto fail2;
 	dev->dev->bcdUSB = cpu_to_le16 (0x0200);
 
 	/* triggers gadgetfs_bind(); then we can enumerate. */
@@ -1875,6 +1875,9 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 
 	value = usb_gadget_probe_driver(&gadgetfs_driver);
 	if (value != 0) {
+		dev->dev = NULL
+		dev->hs_config = NULL;
+		dev->config = NULL;
 		kfree (dev->buf);
 		dev->buf = NULL;
 	} else {
@@ -1892,7 +1895,12 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 	}
 	return value;
 
+fail2:
+	dev->dev = NULL;
+fail1:
+	dev->hs_config = NULL;
 fail:
+	dev->config = NULL;
 	spin_unlock_irq (&dev->lock);
 	pr_debug ("%s: %s fail %zd, %p\n", shortname, __func__, value, dev);
 	kfree (dev->buf);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-12-31  1:44 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-30  4:38 [PATCH v2 0/2] usb: gadget: use after free in dev_config Hangyu Hua
2021-12-30  4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
2021-12-30 11:03   ` Greg KH
2021-12-31  1:44     ` Hangyu Hua
2021-12-30  4:38 ` [PATCH v2 2/2] usb: gadget: clear related members when goto fail Hangyu Hua

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.