Re: [PATCH] usb/cdc-wdm: fix memory leak of wdm_device

linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Oliver Neukum <oneukum@suse.com>
To: Sabyrzhan Tasbolatov <snovitoll@gmail.com>,
	syzbot+9760fbbd535cee131f81@syzkaller.appspotmail.com
Cc: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
	linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	oneukum@suse.com
Subject: Re: [PATCH] usb/cdc-wdm: fix memory leak of wdm_device
Date: Mon, 11 Nov 2024 10:44:43 +0100	[thread overview]
Message-ID: <825be5e2-31b2-4cd6-a283-05935ea6161f@suse.com> (raw)
In-Reply-To: <20241109152821.3476218-1-snovitoll@gmail.com>

On 09.11.24 16:28, Sabyrzhan Tasbolatov wrote:

Hi,

> syzbot reported "KMSAN: kernel-infoleak in wdm_read", though there is no
> reproducer and the only report for this issue. This might be
> a false-positive, but while the reading the code, it seems,
> there is the way to leak kernel memory.

As far as I can tell, the leak is real.

> Here what I understand so far from the report happening
> with ubuf in drivers/usb/class/cdc-wdm.c:
> 
> 1. kernel buffer "ubuf" is allocated during cdc-wdm device creation in
>     the "struct wdm_device":

Yes
[..]

> 2. during wdm_create() it calls wdm_in_callback() which MAY fill "ubuf"
>     for the first time via memmove if conditions are met.

Yes.
[..]

> 3. if conditions are not fulfilled in step 2., then calling read() syscall
>     which calls wdm_read(), should leak the random kernel memory via
>     copy_to_user() from "ubuf" buffer which is allocated in kmalloc-256.

Yes, sort of.

>   
> -	desc->ubuf = kmalloc(desc->wMaxCommand, GFP_KERNEL);
> +	desc->ubuf = kzalloc(desc->wMaxCommand, GFP_KERNEL);
>   	if (!desc->ubuf)
>   		goto err;

No. I am sorry, but the fix is wrong. Absolutely wrong.

Let's look at the code of wdm_read():

                 cntr = desc->length;
Here the method determines how much data is in the buffer.
"length" initially is zero, because the descriptor itself
is allocated with kzalloc. It is increased in the callback.

                 spin_unlock_irq(&desc->iuspin);
         }

         if (cntr > count)
                 cntr = count;

This is _supposed_ to make sure that user space does not get more
than we have in the buffer.

         rv = copy_to_user(buffer, desc->ubuf, cntr);
         if (rv > 0) {
                 rv = -EFAULT;
                 goto err;
         }

         spin_lock_irq(&desc->iuspin);

         for (i = 0; i < desc->length - cntr; i++)
                 desc->ubuf[i] = desc->ubuf[i + cntr];

         desc->length -= cntr;

Here we decrease the count of what we have in the buffer.

Now please look at the check again

"cntr" is what we have in the buffer.
"count" is how much user space wants.

We should limit what we copy to the amount we have in the buffer.
But that is not what the check does. Instead it makes sure we never
copy more than user space requested. But we do not check whether
the buffer has enough data to satisfy the read.

You have discovered the bug. If you want to propose a fix, the honor is yours.
Or do you want me to fix it?

tl;dr: Excellent catch, wrong fix

	Regards
		Oliver

next prev parent reply	other threads:[~2024-11-11  9:44 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-20 22:48 [syzbot] [usb?] KMSAN: kernel-infoleak in wdm_read syzbot
2024-11-09 15:28 ` [PATCH] usb/cdc-wdm: fix memory leak of wdm_device Sabyrzhan Tasbolatov
2024-11-10  7:07   ` Greg KH
2024-11-10  8:21     ` [PATCH v2] usb/cdc-wdm: fix memory info leak in wdm_read Sabyrzhan Tasbolatov
2024-11-11  9:44   ` Oliver Neukum [this message]
2024-11-11 10:40     ` [PATCH] usb/cdc-wdm: fix memory leak of wdm_device Sabyrzhan Tasbolatov
2024-11-11 11:46       ` Greg KH
2024-11-11 12:01       ` [PATCH v3] usb/cdc-wdm: fix memory info leak in wdm_read Sabyrzhan Tasbolatov
2024-11-12 11:13         ` Greg KH
2024-11-12 13:29           ` [PATCH v4] " Sabyrzhan Tasbolatov
2024-11-12 15:52             ` Alan Stern
2024-11-12 19:30               ` Sabyrzhan Tasbolatov
2024-11-12 20:25                 ` Alan Stern
2024-11-14  5:58                   ` Sabyrzhan Tasbolatov
2024-11-11 14:29     ` [PATCH] usb/cdc-wdm: fix memory leak of wdm_device Alan Stern
2024-11-12  9:34       ` Sabyrzhan Tasbolatov
2024-11-12 15:38         ` Alan Stern

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=825be5e2-31b2-4cd6-a283-05935ea6161f@suse.com \
    --to=oneukum@suse.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=snovitoll@gmail.com \
    --cc=syzbot+9760fbbd535cee131f81@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).