From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: KASAN: use-after-free Read in dvb_usb_device_exit From: Oliver Neukum Message-Id: <1556201335.11912.6.camel@suse.com> Date: Thu, 25 Apr 2019 16:08:55 +0200 To: Hans Verkuil , andreyknvl@google.com, syzkaller-bugs@googlegroups.com, mchehab@kernel.org, corbet@lwn.net, syzbot , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-usb@vger.kernel.org List-ID: T24gTWksIDIwMTktMDQtMjQgYXQgMTY6MDkgKzAyMDAsIEhhbnMgVmVya3VpbCB3cm90ZToKPiBP biA0LzE1LzE5IDE6MTIgUE0sIE9saXZlciBOZXVrdW0gd3JvdGU6Cj4gPiBPbiBGciwgMjAxOS0w NC0xMiBhdCAwNDo0NiAtMDcwMCwgc3l6Ym90IHdyb3RlOgo+ID4gPiBIZWxsbywKPiA+ID4gCj4g PiA+IHN5emJvdCBmb3VuZCB0aGUgZm9sbG93aW5nIGNyYXNoIG9uOgo+ID4gPiAKPiA+ID4gSEVB RCBjb21taXQ6ICAgIDlhMzNiMzY5IHVzYi1mdXp6ZXI6IG1haW4gdXNiIGdhZGdldCBmdXp6ZXIg ZHJpdmVyCj4gPiA+IGdpdCB0cmVlOiAgICAgICBodHRwczovL2dpdGh1Yi5jb20vZ29vZ2xlL2th c2FuL3RyZWUvdXNiLWZ1enplcgo+ID4gPiBjb25zb2xlIG91dHB1dDogaHR0cHM6Ly9zeXprYWxs ZXIuYXBwc3BvdC5jb20veC9sb2cudHh0P3g9MTY0Mzk3NGIyMDAwMDAKPiA+ID4ga2VybmVsIGNv bmZpZzogIGh0dHBzOi8vc3l6a2FsbGVyLmFwcHNwb3QuY29tL3gvLmNvbmZpZz94PTIzZTM3ZjU5 ZDk0ZGRkMTUKPiA+ID4gZGFzaGJvYXJkIGxpbms6IGh0dHBzOi8vc3l6a2FsbGVyLmFwcHNwb3Qu Y29tL2J1Zz9leHRpZD0yNmVjNDFlOWY3ODhiM2ViYTM5Ngo+ID4gPiBjb21waWxlcjogICAgICAg Z2NjIChHQ0MpIDkuMC4wIDIwMTgxMjMxIChleHBlcmltZW50YWwpCj4gPiA+IHN5eiByZXBybzog ICAgICBodHRwczovL3N5emthbGxlci5hcHBzcG90LmNvbS94L3JlcHJvLnN5ej94PTEyZjVlZmE3 MjAwMDAwCj4gPiA+IEMgcmVwcm9kdWNlcjogICBodHRwczovL3N5emthbGxlci5hcHBzcG90LmNv bS94L3JlcHJvLmM/eD0xMzk1YTBmMzIwMDAwMAo+ID4gPiAKPiA+ID4gSU1QT1JUQU5UOiBpZiB5 b3UgZml4IHRoZSBidWcsIHBsZWFzZSBhZGQgdGhlIGZvbGxvd2luZyB0YWcgdG8gdGhlIGNvbW1p dDoKPiA+ID4gUmVwb3J0ZWQtYnk6IHN5emJvdCsyNmVjNDFlOWY3ODhiM2ViYTM5NkBzeXprYWxs ZXIuYXBwc3BvdG1haWwuY29tCj4gPiA+IAo+ID4gPiBkdmItdXNiOiBzY2hlZHVsZSByZW1vdGUg cXVlcnkgaW50ZXJ2YWwgdG8gMTUwIG1zZWNzLgo+ID4gPiBkdzIxMDI6IHN1MzAwMF9wb3dlcl9j dHJsOiAwLCBpbml0aWFsaXplZCAxCj4gPiA+IGR2Yi11c2I6IFRlVmlpIFM0MjEgUENJIHN1Y2Nl c3NmdWxseSBpbml0aWFsaXplZCBhbmQgY29ubmVjdGVkLgo+ID4gPiB1c2IgMS0xOiBVU0IgZGlz Y29ubmVjdCwgZGV2aWNlIG51bWJlciAyCj4gPiAKPiA+IEhpLAo+ID4gCj4gPiBwcm9wb3NlZCBm aXguIElmIG5vYm9keSBvYmplY3RzLCBJIHdpbGwgc3VibWl0IGl0Lgo+ID4gCj4gPiAJUmVnYXJk cwo+ID4gCQlPbGl2ZXIKPiA+IAo+ID4gRnJvbSBkNjA5N2QyMDVhYzYxNzQ1MzM0Yjc5NjM5ZDNi OGI5MTBhZTY2YzcxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQo+ID4gRnJvbTogT2xpdmVyIE5l dWt1bSA8b25ldWt1bUBzdXNlLmNvbT4KPiA+IERhdGU6IE1vbiwgMTUgQXByIDIwMTkgMTM6MDY6 MDEgKzAyMDAKPiA+IFN1YmplY3Q6IFtQQVRDSF0gZHZiOiB1c2I6IGZpeCB1c2UgYWZ0ZXIgZnJl ZSBpbiBkdmJfdXNiX2RldmljZV9leGl0Cj4gPiAKPiA+IGR2Yl91c2JfZGV2aWNlX2V4aXQoKSBm cmVlcyBhbmQgdXNlcyB0ZWggZGV2aWNlIG5hbWUgaW4gdGhhdCBvcmRlcgo+ID4gRml4IGJ5IHN0 b3JpbmcgdGhlIG5hbWUgaW4gYSBidWZmZXIgYmVmb3JlIGZyZWVpbmcgaXQKPiA+IAo+ID4gU2ln bmVkLW9mZi1ieTogT2xpdmVyIE5ldWt1bSA8b25ldWt1bUBzdXNlLmNvbT4KPiA+IFJlcG9ydGVk LWJ5OiBzeXpib3QrMjZlYzQxZTlmNzg4YjNlYmEzOTZAc3l6a2FsbGVyLmFwcHNwb3RtYWlsLmNv bQo+ID4gLS0tCj4gPiAgZHJpdmVycy9tZWRpYS91c2IvZHZiLXVzYi9kdmItdXNiLWluaXQuYyB8 IDcgKysrKysrLQo+ID4gIDEgZmlsZSBjaGFuZ2VkLCA2IGluc2VydGlvbnMoKyksIDEgZGVsZXRp b24oLSkKPiA+IAo+ID4gZGlmZiAtLWdpdCBhL2RyaXZlcnMvbWVkaWEvdXNiL2R2Yi11c2IvZHZi LXVzYi1pbml0LmMgYi9kcml2ZXJzL21lZGlhL3VzYi9kdmItdXNiL2R2Yi11c2ItaW5pdC5jCj4g PiBpbmRleCA5OTk1MWUwMmE4ODAuLjJlMTY3MGNjMzkwMyAxMDA2NDQKPiA+IC0tLSBhL2RyaXZl cnMvbWVkaWEvdXNiL2R2Yi11c2IvZHZiLXVzYi1pbml0LmMKPiA+ICsrKyBiL2RyaXZlcnMvbWVk aWEvdXNiL2R2Yi11c2IvZHZiLXVzYi1pbml0LmMKPiA+IEBAIC0yODgsMTMgKzI4OCwxOCBAQCB2 b2lkIGR2Yl91c2JfZGV2aWNlX2V4aXQoc3RydWN0IHVzYl9pbnRlcmZhY2UgKmludGYpCj4gPiAg ewo+ID4gIAlzdHJ1Y3QgZHZiX3VzYl9kZXZpY2UgKmQgPSB1c2JfZ2V0X2ludGZkYXRhKGludGYp Owo+ID4gIAljb25zdCBjaGFyICpuYW1lID0gImdlbmVyaWMgRFZCLVVTQiBtb2R1bGUiOwo+ID4g KwljaGFyIGlkZW50aWZpZXJbNDBdOwo+ID4gIAo+ID4gIAl1c2Jfc2V0X2ludGZkYXRhKGludGYs IE5VTEwpOwo+ID4gIAlpZiAoZCAhPSBOVUxMICYmIGQtPmRlc2MgIT0gTlVMTCkgewo+ID4gIAkJ bmFtZSA9IGQtPmRlc2MtPm5hbWU7Cj4gPiArCQltZW1jcHkoaWRlbnRpZmllciwgbmFtZSwgMzkp Owo+ID4gKwkJaWRlbnRpZmllclszOV0gPSBOVUxMOwo+ID4gIAkJZHZiX3VzYl9leGl0KGQpOwo+ IAo+IFdoeSBub3QganVzdCBtb3ZlIHRoaXMgdG8gYWZ0ZXIgdGhlIGluZm8oKT8gWW91J2xsIG5l ZWQgdG8gcmVwZWF0IHRoZQo+ICdpZicgaW4gdGhhdCBjYXNlLCBidXQgdGhhdCB3YXkgdGhlcmUg aXMgbm8gbmVlZCB0byBtZW1jcHkgYW55dGhpbmcuCgpUaGUgaW5mbygpIHdvdWxkIG1ha2UgdGhl IGluY29ycmVjdCBjbGFpbSB0aGF0IHNvbWV0aGluZyBoYXMgYmVlbgpmcmVlZC4gSXQgbG9va3Mg dG8gbWUgbGlrZSBpdCBleGlzdHMgdG8gZ3VhcmFudGVlIHRoYXQgeW91IGtub3cgdGhhdApub3Ro aW5nIGh1bmcgd2hpbGUgZnJlZWluZy4KCglSZWdhcmRzCgkJT2xpdmVyCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.9 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E425C43218 for ; Thu, 25 Apr 2019 14:09:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 96A8F20644 for ; Thu, 25 Apr 2019 14:09:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727400AbfDYOJC (ORCPT ); Thu, 25 Apr 2019 10:09:02 -0400 Received: from mx2.suse.de ([195.135.220.15]:50026 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725965AbfDYOJC (ORCPT ); Thu, 25 Apr 2019 10:09:02 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 8F142ABCE; Thu, 25 Apr 2019 14:09:00 +0000 (UTC) Message-ID: <1556201335.11912.6.camel@suse.com> Subject: Re: KASAN: use-after-free Read in dvb_usb_device_exit From: Oliver Neukum To: Hans Verkuil , andreyknvl@google.com, syzkaller-bugs@googlegroups.com, mchehab@kernel.org, corbet@lwn.net, syzbot , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-usb@vger.kernel.org Date: Thu, 25 Apr 2019 16:08:55 +0200 In-Reply-To: <9cfe433e-426e-19d1-9cb8-5bc2ba17145b@xs4all.nl> References: <000000000000789d3d058653d9bb@google.com> <1555326745.13626.10.camel@suse.com> <9cfe433e-426e-19d1-9cb8-5bc2ba17145b@xs4all.nl> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Message-ID: <20190425140855.8mfXwGJsZNEC6juW38E0UeNkKQOb_aaPCnygkwHMbM4@z> On Mi, 2019-04-24 at 16:09 +0200, Hans Verkuil wrote: > On 4/15/19 1:12 PM, Oliver Neukum wrote: > > On Fr, 2019-04-12 at 04:46 -0700, syzbot wrote: > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: 9a33b369 usb-fuzzer: main usb gadget fuzzer driver > > > git tree: https://github.com/google/kasan/tree/usb-fuzzer > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1643974b200000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=26ec41e9f788b3eba396 > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12f5efa7200000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1395a0f3200000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com > > > > > > dvb-usb: schedule remote query interval to 150 msecs. > > > dw2102: su3000_power_ctrl: 0, initialized 1 > > > dvb-usb: TeVii S421 PCI successfully initialized and connected. > > > usb 1-1: USB disconnect, device number 2 > > > > Hi, > > > > proposed fix. If nobody objects, I will submit it. > > > > Regards > > Oliver > > > > From d6097d205ac61745334b79639d3b8b910ae66c71 Mon Sep 17 00:00:00 2001 > > From: Oliver Neukum > > Date: Mon, 15 Apr 2019 13:06:01 +0200 > > Subject: [PATCH] dvb: usb: fix use after free in dvb_usb_device_exit > > > > dvb_usb_device_exit() frees and uses teh device name in that order > > Fix by storing the name in a buffer before freeing it > > > > Signed-off-by: Oliver Neukum > > Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com > > --- > > drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 ++++++- > > 1 file changed, 6 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c > > index 99951e02a880..2e1670cc3903 100644 > > --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c > > +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c > > @@ -288,13 +288,18 @@ void dvb_usb_device_exit(struct usb_interface *intf) > > { > > struct dvb_usb_device *d = usb_get_intfdata(intf); > > const char *name = "generic DVB-USB module"; > > + char identifier[40]; > > > > usb_set_intfdata(intf, NULL); > > if (d != NULL && d->desc != NULL) { > > name = d->desc->name; > > + memcpy(identifier, name, 39); > > + identifier[39] = NULL; > > dvb_usb_exit(d); > > Why not just move this to after the info()? You'll need to repeat the > 'if' in that case, but that way there is no need to memcpy anything. The info() would make the incorrect claim that something has been freed. It looks to me like it exists to guarantee that you know that nothing hung while freeing. Regards Oliver