From: Mathy Vanhoef <vanhoefm@gmail.com>
To: Oliver Neukum <oneukum@suse.de>
Cc: brudley@broadcom.com, Arend van Spriel <arend@broadcom.com>,
Franky Lin <frankyl@broadcom.com>,
meuleman@broadcom.com, John Linville <linville@tuxdriver.com>,
pieterpg@broadcom.com, linux-wireless@vger.kernel.org,
brcm80211-dev-list@broadcom.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] brcmfmac: unlink URB when request timed out
Date: Tue, 11 Nov 2014 20:02:27 -0500 [thread overview]
Message-ID: <5462B1A3.9020401@gmail.com> (raw)
In-Reply-To: <1415610506.16488.20.camel@linux-0dmf.site>
On 11/10/2014 04:08 AM, Oliver Neukum wrote:
> On Sun, 2014-11-09 at 13:10 -0500, Mathy Vanhoef wrote:
>> From: Mathy Vanhoef <vanhoefm@gmail.com>
>>
>> Unlink the submitted URB in brcmf_usb_dl_cmd if the request timed out. This
>> assures the URB is never submitted twice, preventing a driver crash.
>
> Hi,
>
> I am afrad this patch is no good. The diagnosis is good,
> but the fix introduces serious problems.
>
>> diff --git a/drivers/net/wireless/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
>> index 5265aa7..1bc7858 100644
>> --- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
>> +++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
>> @@ -738,10 +738,12 @@ static int brcmf_usb_dl_cmd(struct brcmf_usbdev_info *devinfo, u8 cmd,
>> goto finalize;
>> }
>>
>> - if (!brcmf_usb_ioctl_resp_wait(devinfo))
>> + if (!brcmf_usb_ioctl_resp_wait(devinfo)) {
>> + usb_unlink_urb(devinfo->ctl_urb);
>
> This is the asynchronous unlink. You have no guarantee it is finished
> after this point.
>
>> ret = -ETIMEDOUT;
>> - else
>> + } else {
>> memcpy(buffer, tmpbuf, buflen);
>> + }
>>
>> finalize:
>> kfree(tmpbuf);
>
> Which means that you are freeing memory that may still be used by DMA
> at this time.
> In addition you have no guarantee that the unlink is indeed finished
> by the time the URB is reused.
> If you wish to take this approach you better forget about this URB
> and allocate a new one and free the buffer from the callback.
Hi Oliver,
Good catch. I think the DMA issue is also present in the current driver: it
frees the buffer without unlinking/killing the URB at all. Can a malicious USB
device force a timeout to occur (i.e. delay the call to the completion
handler)? If so this might be a use-after-free vulnerability.
It seems using usb_kill_urb instead of usb_unlink_urb in the patch prevents any
possible use-after-free. Can someone double check?
Kind regards,
Mathy
>
> Regards
> Oliver
>
next prev parent reply other threads:[~2014-11-12 1:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-09 18:10 [PATCH] brcmfmac: unlink URB when request timed out Mathy Vanhoef
2014-11-10 9:08 ` Oliver Neukum
2014-11-12 1:02 ` Mathy Vanhoef [this message]
[not found] ` <5462B1A3.9020401-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-11-12 7:00 ` Oliver Neukum
2014-11-10 11:18 ` Arend van Spriel
2014-11-10 16:08 ` Mathy Vanhoef
2014-11-10 18:03 ` Arend van Spriel
2014-11-11 11:05 ` Arend van Spriel
2014-11-11 17:35 ` Mathy Vanhoef
[not found] ` <546248FD.8020209-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-11-11 18:00 ` Arend van Spriel
2014-11-12 0:40 ` Mathy Vanhoef
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5462B1A3.9020401@gmail.com \
--to=vanhoefm@gmail.com \
--cc=arend@broadcom.com \
--cc=brcm80211-dev-list@broadcom.com \
--cc=brudley@broadcom.com \
--cc=frankyl@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=meuleman@broadcom.com \
--cc=netdev@vger.kernel.org \
--cc=oneukum@suse.de \
--cc=pieterpg@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).