From: Greg KH <gregkh@linuxfoundation.org>
To: Rondreis <linhaoguo86@gmail.com>
Cc: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
johan@kernel.org
Subject: Re: KASAN: use-after-free Write in keyspan_close
Date: Wed, 21 Sep 2022 18:20:04 +0200 [thread overview]
Message-ID: <Yys5tGHLo4AFcA3E@kroah.com> (raw)
In-Reply-To: <CAB7eexKKeOxgZ6uh7WXJcui71_uOMeYr8+=Hfb0-Gi4h8JMmEw@mail.gmail.com>
On Wed, Sep 21, 2022 at 11:45:17PM +0800, Rondreis wrote:
> Thank you for your reply!
>
> This is a “fake” device. We emulated some functions with the built-in
> gadget module as a virtual device side for fuzzing. It can pass through
> the matching phase and, to some extent the probing phase.
> As you said, the configuration options are correct.
But this fake device does not follow the protocol of the real device,
right? So how is any fake data sent/received by it to fuzz?
> After a successful attachment, we extracted the file_operations
> of the device files on both sides to find the corresponding system calls.
open/read/write/close? :)
> Later, by fuzzing the dual-sided device with system calls, it is
> equivalent to considering data threats from both peripheral and user space.
So you are now treating this device as malicious.
If so, wonderful, that means you now need to audit the driver and fix
all of the assumptions that we made when it was written as it was a
trusted device at that point in time.
Not to say that this is a bad thing, just that you are testing something
that the original code was never designed to even consider, so you will
find problems.
Any help you can in fixing them would be appreciated, and then we can
move on to all of the others that we have as all of them were also
written to assume that we trust the hardware, as that was the Linux
security model at the time (also all other operating system's model, we
are not unique here.)
My point being, this is going to be a long slog if you wish to change
the model that Linux was originally designed for. Perhaps you should
look into some way to "trace" the data paths to find where USB data is
received and acted on before it can be "trusted". Much like we
currently do today for userspace memory pointers.
That will be a much better solution overall, so that we can then use
that model to fix all drivers, and prevent any future changes from also
causing problems.
Then you can turn that model to other busses, which for now we also
consider trusted, but some people wish to change that.
So don't focus on this one tiny driver, try working on the root issue
here please.
good luck!
greg k-h
next prev parent reply other threads:[~2022-09-21 16:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-20 14:47 KASAN: use-after-free Write in keyspan_close Rondreis
2022-09-20 16:16 ` Greg KH
2022-09-21 15:45 ` Rondreis
2022-09-21 16:20 ` Greg KH [this message]
2022-09-29 11:41 ` Oliver Neukum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yys5tGHLo4AFcA3E@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=linhaoguo86@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox