The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [PATCH 0/4] usb: fix UAF related to dynamic ID
@ 2026-06-30 11:38 Gary Guo
  2026-06-30 11:38 ` [PATCH 1/4] wifi: ath9k_htc: don't keep usb_device_id Gary Guo
                   ` (4 more replies)
  0 siblings, 5 replies; 12+ messages in thread
From: Gary Guo @ 2026-06-30 11:38 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Rafael J. Wysocki, Danilo Krummrich,
	Toke Høiland-Jørgensen, Johan Hovold
  Cc: linux-wireless, linux-kernel, linux-usb, driver-core, Gary Guo

This is the USB version of the dynamic ID UAF fix similar to that of PCI
[1]. usb_match_dynamic_id returns a pointer to field of usb_dynid, which
can be freed when dynamic ID is removed via sysfs. Fix it by making a stack
copy of the ID.
    
There're 2 existing users which stores their usb_device_id argument in
probe callback. This is a bad pattern because nothing except driver_data
inside usb_device_id is what they want. Actual idProduct information can be
retrieved from usb_device instead. I've used the following coccinelle
script to find the cases where the argument is stored and converted them to
stop storing usb_device_id.

There's an additional user, spcp8x5, which also stores usb_device_id, but
is part of USB serial which doesn't support dyn ID removal. However, there
is no reason in keeping the usb_device_id for it anyway so it is also
converted.

@store@
identifier fn;
identifier id;
expression E;
parameter list[n] ps;
@@
  fn(ps, struct usb_device_id *id, ...)
  {
    ...
*   E = id
    ...
  }

@cast@
identifier fn;
identifier id;
parameter list[n] ps;
@@
  fn(ps, struct usb_device_id *id, ...)
  {
    ...
*   (void *)id
    ...
  }

@in_struct@
identifier s, fld;
@@
  struct s {
    ...
*   struct usb_device_id *fld;
    ...
  };

Link: https://lore.kernel.org/driver-core/20260630-pci_id_fix-v2-0-b834a98c0af2@garyguo.net [1]

Signed-off-by: Gary Guo <gary@garyguo.net>
---
Gary Guo (4):
      wifi: ath9k_htc: don't keep usb_device_id
      usb: usbtmc: don't keep usb_device_id
      usb: serial: spcp8x5: don't keep usb_device_id
      usb: fix UAF when probe runs concurrent to dyn ID removal

 drivers/net/wireless/ath/ath9k/hif_usb.c | 12 ++++++------
 drivers/net/wireless/ath/ath9k/hif_usb.h |  2 +-
 drivers/usb/class/usbtmc.c               |  2 --
 drivers/usb/core/driver.c                | 33 ++++++++++++++++----------------
 drivers/usb/serial/spcp8x5.c             |  6 +++---
 include/linux/usb.h                      |  3 ++-
 6 files changed, 29 insertions(+), 29 deletions(-)
---
base-commit: 7de6ae9e12207ec146f2f3f1e58d1a99317e88bc
change-id: 20260629-usb_dyn_id_uaf-9d5f415387d4

Best regards,
--  
Gary Guo <gary@garyguo.net>


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2026-07-01 15:08 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 11:38 [PATCH 0/4] usb: fix UAF related to dynamic ID Gary Guo
2026-06-30 11:38 ` [PATCH 1/4] wifi: ath9k_htc: don't keep usb_device_id Gary Guo
2026-06-30 21:51   ` Danilo Krummrich
2026-06-30 11:38 ` [PATCH 2/4] usb: usbtmc: " Gary Guo
2026-06-30 21:51   ` Danilo Krummrich
2026-06-30 11:38 ` [PATCH 3/4] usb: serial: spcp8x5: " Gary Guo
2026-06-30 21:52   ` Danilo Krummrich
2026-06-30 11:38 ` [PATCH 4/4] usb: fix UAF when probe runs concurrent to dyn ID removal Gary Guo
2026-06-30 21:55   ` Danilo Krummrich
2026-06-30 13:26 ` [PATCH 0/4] usb: fix UAF related to dynamic ID Manuel Ebner
2026-06-30 13:39   ` Danilo Krummrich
2026-07-01 15:02     ` Manuel Ebner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox