[PATCH v2 0/2] usb: gadget: use after free in dev

public inbox for linux-usb@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2 0/2] usb: gadget: use after free in dev_config
@ 2021-12-30  4:38 Hangyu Hua
  2021-12-30  4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
  2021-12-30  4:38 ` [PATCH v2 2/2] usb: gadget: clear related members when goto fail Hangyu Hua
  0 siblings, 2 replies; 5+ messages in thread
From: Hangyu Hua @ 2021-12-30  4:38 UTC (permalink / raw)
  To: balbi, gregkh, axboe, stern, jj251510319013, dan.carpenter
  Cc: linux-usb, linux-kernel, Hangyu Hua

There are two bugs:
dev->buf does not need to be released if it already exists before
executing dev_config.
dev->config and dev->hs_config and dev->dev need to be cleaned if
dev_config fails to avoid UAF.

v2:
1. break one patch up into two separate patches.
2. use "fail:" to clear all members.

Hangyu Hua (2):
  usb: gadget: don't release an existing dev->buf
  usb: gadget: clear related members when goto fail

 drivers/usb/gadget/legacy/inode.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

-- 
2.25.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf
  2021-12-30  4:38 [PATCH v2 0/2] usb: gadget: use after free in dev_config Hangyu Hua
@ 2021-12-30  4:38 ` Hangyu Hua
  2021-12-30 11:03   ` Greg KH
  2021-12-30  4:38 ` [PATCH v2 2/2] usb: gadget: clear related members when goto fail Hangyu Hua
  1 sibling, 1 reply; 5+ messages in thread
From: Hangyu Hua @ 2021-12-30  4:38 UTC (permalink / raw)
  To: balbi, gregkh, axboe, stern, jj251510319013, dan.carpenter
  Cc: linux-usb, linux-kernel, Hangyu Hua

dev->buf does not need to be released if it already exists before
executing dev_config.

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 drivers/usb/gadget/legacy/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 3b58f4fc0a80..564352035ac1 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1826,8 +1826,9 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 	spin_lock_irq (&dev->lock);
 	value = -EINVAL;
 	if (dev->buf) {
+		spin_unlock_irq(&dev->lock);
 		kfree(kbuf);
-		goto fail;
+		return value;
 	}
 	dev->buf = kbuf;
 
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf
  2021-12-30  4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
@ 2021-12-30 11:03   ` Greg KH
  2021-12-31  1:44     ` Hangyu Hua
  0 siblings, 1 reply; 5+ messages in thread
From: Greg KH @ 2021-12-30 11:03 UTC (permalink / raw)
  To: Hangyu Hua
  Cc: balbi, axboe, stern, jj251510319013, dan.carpenter, linux-usb,
	linux-kernel

On Thu, Dec 30, 2021 at 12:38:14PM +0800, Hangyu Hua wrote:
> dev->buf does not need to be released if it already exists before
> executing dev_config.
> 
> Acked-by: Alan Stern <stern@rowland.harvard.edu>

I missed this, where did Alan ack this patch?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf
  2021-12-30 11:03   ` Greg KH
@ 2021-12-31  1:44     ` Hangyu Hua
  0 siblings, 0 replies; 5+ messages in thread
From: Hangyu Hua @ 2021-12-31  1:44 UTC (permalink / raw)
  To: Greg KH
  Cc: balbi, axboe, stern, jj251510319013, dan.carpenter, linux-usb,
	linux-kernel

I misunderstood the meaning of Alan. He didn't ack this patch. We stil 
disscuss about this. I am sorry.

On 2021/12/30 下午7:03, Greg KH wrote:
> On Thu, Dec 30, 2021 at 12:38:14PM +0800, Hangyu Hua wrote:
>> dev->buf does not need to be released if it already exists before
>> executing dev_config.
>>
>> Acked-by: Alan Stern <stern@rowland.harvard.edu>
> 
> I missed this, where did Alan ack this patch?
> 
> thanks,
> 
> greg k-h
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2 2/2] usb: gadget: clear related members when goto fail
  2021-12-30  4:38 [PATCH v2 0/2] usb: gadget: use after free in dev_config Hangyu Hua
  2021-12-30  4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
@ 2021-12-30  4:38 ` Hangyu Hua
  1 sibling, 0 replies; 5+ messages in thread
From: Hangyu Hua @ 2021-12-30  4:38 UTC (permalink / raw)
  To: balbi, gregkh, axboe, stern, jj251510319013, dan.carpenter
  Cc: linux-usb, linux-kernel, Hangyu Hua

dev->config and dev->hs_config and dev->dev need to be cleaned if
dev_config fails to avoid UAF.

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 drivers/usb/gadget/legacy/inode.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 564352035ac1..c03ac0272e7d 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1847,7 +1847,7 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 		total = le16_to_cpu(dev->hs_config->wTotalLength);
 		if (!is_valid_config(dev->hs_config, total) ||
 				total > length - USB_DT_DEVICE_SIZE)
-			goto fail;
+			goto fail1;
 		kbuf += total;
 		length -= total;
 	} else {
@@ -1858,12 +1858,12 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 
 	/* device descriptor (tweaked for paranoia) */
 	if (length != USB_DT_DEVICE_SIZE)
-		goto fail;
+		goto fail1;
 	dev->dev = (void *)kbuf;
 	if (dev->dev->bLength != USB_DT_DEVICE_SIZE
 			|| dev->dev->bDescriptorType != USB_DT_DEVICE
 			|| dev->dev->bNumConfigurations != 1)
-		goto fail;
+		goto fail2;
 	dev->dev->bcdUSB = cpu_to_le16 (0x0200);
 
 	/* triggers gadgetfs_bind(); then we can enumerate. */
@@ -1875,6 +1875,9 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 
 	value = usb_gadget_probe_driver(&gadgetfs_driver);
 	if (value != 0) {
+		dev->dev = NULL
+		dev->hs_config = NULL;
+		dev->config = NULL;
 		kfree (dev->buf);
 		dev->buf = NULL;
 	} else {
@@ -1892,7 +1895,12 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 	}
 	return value;
 
+fail2:
+	dev->dev = NULL;
+fail1:
+	dev->hs_config = NULL;
 fail:
+	dev->config = NULL;
 	spin_unlock_irq (&dev->lock);
 	pr_debug ("%s: %s fail %zd, %p\n", shortname, __func__, value, dev);
 	kfree (dev->buf);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-12-31  1:44 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-30  4:38 [PATCH v2 0/2] usb: gadget: use after free in dev_config Hangyu Hua
2021-12-30  4:38 ` [PATCH v2 1/2] usb: gadget: don't release an existing dev->buf Hangyu Hua
2021-12-30 11:03   ` Greg KH
2021-12-31  1:44     ` Hangyu Hua
2021-12-30  4:38 ` [PATCH v2 2/2] usb: gadget: clear related members when goto fail Hangyu Hua

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox