[BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug
@ 2018-12-20 13:41 Jia-Ju Bai
  2018-12-20 13:46 ` Johan Hovold
  0 siblings, 1 reply; 3+ messages in thread
From: Jia-Ju Bai @ 2018-12-20 13:41 UTC (permalink / raw)
  To: Johan Hovold, Greg KH; +Cc: linux-usb, Linux Kernel Mailing List

In drivers/usb/serial/garmin_gps.c,
the functions garmin_read_bulk_callback() and garmin_write_bulk_callback()
may be concurrently executed.

In garmin_write_bulk_callback() on line 969:
     kfree(urb->transfer_buffer);
In garmin_read_bulk_callback() on line 1165:
     unsigned char *data = urb->transfer_buffer;
Thus, a concurrency use-after-free bug may occur.

This possible bug is found by a static analysis tool written by myself.


Best wishes,
Jia-Ju Bai

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug
  2018-12-20 13:41 [BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug Jia-Ju Bai
@ 2018-12-20 13:46 ` Johan Hovold
  2018-12-20 13:48   ` Jia-Ju Bai
  0 siblings, 1 reply; 3+ messages in thread
From: Johan Hovold @ 2018-12-20 13:46 UTC (permalink / raw)
  To: Jia-Ju Bai; +Cc: Johan Hovold, Greg KH, linux-usb, Linux Kernel Mailing List

On Thu, Dec 20, 2018 at 09:41:16PM +0800, Jia-Ju Bai wrote:
> In drivers/usb/serial/garmin_gps.c,
> the functions garmin_read_bulk_callback() and garmin_write_bulk_callback()
> may be concurrently executed.
> 
> In garmin_write_bulk_callback() on line 969:
>      kfree(urb->transfer_buffer);
> In garmin_read_bulk_callback() on line 1165:
>      unsigned char *data = urb->transfer_buffer;
> Thus, a concurrency use-after-free bug may occur.

No, they operate on different struct urb.

> This possible bug is found by a static analysis tool written by myself.

Seems you need to update your tool. Please also make sure to review its
output before reporting anything.

Thanks,
Johan

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug
  2018-12-20 13:46 ` Johan Hovold
@ 2018-12-20 13:48   ` Jia-Ju Bai
  0 siblings, 0 replies; 3+ messages in thread
From: Jia-Ju Bai @ 2018-12-20 13:48 UTC (permalink / raw)
  To: Johan Hovold; +Cc: Greg KH, linux-usb, Linux Kernel Mailing List



On 2018/12/20 21:46, Johan Hovold wrote:
> On Thu, Dec 20, 2018 at 09:41:16PM +0800, Jia-Ju Bai wrote:
>> In drivers/usb/serial/garmin_gps.c,
>> the functions garmin_read_bulk_callback() and garmin_write_bulk_callback()
>> may be concurrently executed.
>>
>> In garmin_write_bulk_callback() on line 969:
>>       kfree(urb->transfer_buffer);
>> In garmin_read_bulk_callback() on line 1165:
>>       unsigned char *data = urb->transfer_buffer;
>> Thus, a concurrency use-after-free bug may occur.
> No, they operate on different struct urb.
>
>> This possible bug is found by a static analysis tool written by myself.
> Seems you need to update your tool. Please also make sure to review its
> output before reporting anything.

Okay, thanks for your reply.
Sorry for my false positive...


Best wishes,
Jia-Ju Bai

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-12-20 13:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-20 13:41 [BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug Jia-Ju Bai
2018-12-20 13:46 ` Johan Hovold
2018-12-20 13:48   ` Jia-Ju Bai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox