From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751365AbdAQKbR (ORCPT ); Tue, 17 Jan 2017 05:31:17 -0500 Received: from mga11.intel.com ([192.55.52.93]:14458 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751023AbdAQKbP (ORCPT ); Tue, 17 Jan 2017 05:31:15 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,244,1477983600"; d="asc'?scan'208";a="53920851" From: Felipe Balbi To: Jim Lin Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Jim Lin Subject: Re: [PATCH v3] usb: gadget: configfs: Fix KASAN use-after-free In-Reply-To: <1484647168-30135-1-git-send-email-jilin@nvidia.com> References: <1484647168-30135-1-git-send-email-jilin@nvidia.com> Date: Tue, 17 Jan 2017 12:29:09 +0200 Message-ID: <878tqakmiy.fsf@linux.intel.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Jim Lin writes: > When gadget is disconnected, running sequence is like this. > . composite_disconnect > . Call trace: > usb_string_copy+0xd0/0x128 > gadget_config_name_configuration_store+0x4 > gadget_config_name_attr_store+0x40/0x50 > configfs_write_file+0x198/0x1f4 > vfs_write+0x100/0x220 > SyS_write+0x58/0xa8 > . configfs_composite_unbind > . configfs_composite_bind > > In configfs_composite_bind, it has > "cn->strings.s =3D cn->configuration;" > > When usb_string_copy is invoked. it would > allocate memory, copy input string, release previous pointed memory space, > and use new allocated memory. > > When gadget is connected, host sends down request to get information. > Call trace: > usb_gadget_get_string+0xec/0x168 > lookup_string+0x64/0x98 > composite_setup+0xa34/0x1ee8 > > If gadget is disconnected and connected quickly, in the failed case, > cn->configuration memory has been released by usb_string_copy kfree but > configfs_composite_bind hasn't been run in time to assign new allocated > "cn->configuration" pointer to "cn->strings.s". > > When "strlen(s->s) of usb_gadget_get_string is being executed, the dangli= ng > memory is accessed, "BUG: KASAN: use-after-free" error occurs. > > Signed-off-by: Jim Lin > --- > Changes in v2: > Changes in v3: > Change commit description well, I need to be sure you tested this with Linus' tree. The reason I'm asking is because this could be a bug caused by Android changes. From your previous patch, the problem started with android_setup(). Please test with v4.10-rc4 and any configfs-based gadget. =2D-=20 balbi --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEElLzh7wn96CXwjh2IzL64meEamQYFAlh98fUACgkQzL64meEa mQYaJRAAqrG38Coh+3cZXtwUhsxBYnpvCm//g4hzKcZIT7AsdS4CPYZtV62mYAxO +ajp5ppbz+l16tv5BWVKZw7zK1UGbNhxeiCm+yoXzhSzutYCnC4ActxDsuWXzfq+ tzhI3PKX5xO947mq5iS541w3XNd3w4nIN6CamvyqQAWiDpnAgb7WW2sn4UkBjUWe eU0MR+jVUemoo2HErKmIJuuYcxvZCJ3vEI+vnEWUOLRzKHZabXQMbA2M7zjoKybI YT7utmr92+UAFeihVBwWM52pKyIZap4q9IAJyg/cyVGvGkonBvcj4BLljGXflD41 pQmQ3eW58kW4WYmLVuEnSbv/N6O+LSwwoMuGEgzGVmTXjkvvmux0IPNchhAROyeO WT+t9C5OMglYLoSJ7RbMwOJHrpjpBasy46/LNJeRmqtaIh7369drcAzek9F/KDLh 1v6o0wL/tu17X0oYxJVob0TZ11tuqFgy7ImOfXRTtA5GM01kenAYlScbgI+lYGKT uw5/mijYT0Wx5rB7XZ42wW0WOkyWyYwhsRIKN1GyE4ZCh1L9Vyf5SP/AlGZb1fZU Chq44/kBFTPlm+j4GiostnqGWQOiPggiEeKVa28r6kvPFFAjdGgNpNYNzJS9miMt w+dGHCNQxsfYOuwrJK8Fs4nH5o8WjTjVAJCbN/lhfqvcoOZTow8= =xCgc -----END PGP SIGNATURE----- --=-=-=--