| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151001172129.GE4469@saruman.tx.rr.com>
Date: Thu, 1 Oct 2015 12:21:29 -0500
From: Felipe Balbi <balbi@...com>
To: "Kaukab, Yousaf" <yousaf.kaukab@...el.com>
CC: "balbi@...com" <balbi@...com>,
"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
"john.youn@...opsys.com" <john.youn@...opsys.com>,
"lyz@...k-chips.com" <lyz@...k-chips.com>,
"heiko@...ech.de" <heiko@...ech.de>,
"cf@...k-chips.com" <cf@...k-chips.com>,
"hl@...k-chips.com" <hl@...k-chips.com>,
"yk@...k-chips.com" <yk@...k-chips.com>,
"gauravsh@...gle.com" <gauravsh@...gle.com>,
"alberto@...gle.com" <alberto@...gle.com>,
"wulf@...k-chips.com" <wulf@...k-chips.com>,
"jwerner@...omium.org" <jwerner@...omium.org>,
"jeffy.chen@...k-chips.com" <jeffy.chen@...k-chips.com>,
"Herrero, Gregory" <gregory.herrero@...el.com>,
"huangtao@...k-chips.com" <huangtao@...k-chips.com>,
"rockchip-discuss@...omium.org" <rockchip-discuss@...omium.org>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free
bug
On Thu, Oct 01, 2015 at 12:01:48PM +0000, Kaukab, Yousaf wrote:
> > From: Mian Yousaf Kaukab <yousaf.kaukab@...el.com>
> > Date: Tue, Sep 29, 2015 at 12:25 PM
> > Subject: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free bug
> > To: linux-usb@...r.kernel.org, balbi@...com, john.youn@...opsys.com,
> > lyz@...k-chips.com
> > Cc: heiko@...ech.de, cf@...k-chips.com, hl@...k-chips.com, yk@...k-
> > chips.com, gauravsh@...gle.com, alberto@...gle.com, wulf@...k-chips.com,
> > jwerner@...omium.org, jeffy.chen@...k-chips.com,
> > gregory.herrero@...el.com, huangtao@...k-chips.com, rockchip-
> > discuss@...omium.org, gregkh@...uxfoundation.org, linux-
> > kernel@...r.kernel.org
> >
> >
> > From: Yunzhi Li <lyz@...k-chips.com>
> >
> > When dwc2_hsotg_handle_unaligned_buf_complete() hs_req->req.buf already
> > destroyed, in dwc2_hsotg_unmap_dma(), it touches hs_req->req.dma again, so
> > dwc2_hsotg_unmap_dma() should be called before
> > dwc2_hsotg_handle_unaligned_buf_complete(). Otherwise, it will cause a
> > bad_page BUG, when allocate this memory page next time.
> >
> > This bug led to the following crash:
> >
> > BUG: Bad page state in process swapper/0 pfn:2bdbc
> > [ 26.820440] page:eed76780 count:0 mapcount:0 mapping: (null) index:0x0
> > [ 26.854710] page flags: 0x200(arch_1)
> > [ 26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
> > [ 26.919179] bad because of flags:
> > [ 26.948917] page flags: 0x200(arch_1)
> > [ 26.979100] Modules linked in:
> > [ 27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
> > [ 27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>]
> > (show_stack+0x20/0x24)
> > [ 27.076108] [<c010a704>] (show_stack) from [<c087eea8>]
> > (dump_stack+0x70/0x8c)
> > [ 27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>]
> > (bad_page+0xfc/0x12c)
> > [ 27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>]
> > (get_page_from_freelist+0x3e4/0x50c)
> > [ 27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>]
> > (__alloc_pages_nodemask)
> > [ 27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>]
> > (__get_free_pages+0x20/)
> > [ 27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>]
> > (kmalloc_order_trace+0x34/0xa)
> > [ 27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>]
> > (__kmalloc+0x40/0x1ac)
> > [ 27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>]
> > (dwc2_hsotg_ep_queue.isra.12+0x7c/0x1)
> > [ 27.359937] [<c052abc0>] (dwc2_hsotg_ep_queue.isra.12) from
> > [<c052af88>] (dwc2_hsotg_ep_queue)
> > [ 27.397478] [<c052af88>] (dwc2_hsotg_ep_queue_lock) from
> > [<c0554110>] (rx_submit+0xfc/0x164)
> > [ 27.433619] [<c0554110>] (rx_submit) from [<c05546e8>]
> > (rx_complete+0x22c/0x230)
> > [ 27.468872] [<c05546e8>] (rx_complete) from [<c052b528>]
> > (dwc2_hsotg_complete_request+0xfc/0)
> > [ 27.506240] [<c052b528>] (dwc2_hsotg_complete_request) from
> > [<c052bba0>] (dwc2_hsotg_handle_o)
> > [ 27.545401] [<c052bba0>] (dwc2_hsotg_handle_outdone) from
> > [<c052be70>] (dwc2_hsotg_epint+0x2c)
> > [ 27.583689] [<c052be70>] (dwc2_hsotg_epint) from [<c052c750>]
> > (dwc2_hsotg_irq+0x1dc/0x4ac)
> > [ 27.621041] [<c052c750>] (dwc2_hsotg_irq) from [<c01682e0>]
> > (handle_irq_event_percpu+0x70/0x)
> > [ 27.659066] [<c01682e0>] (handle_irq_event_percpu) from
> > [<c01684ec>] (handle_irq_event+0x4c)
> > [ 27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>]
> > (handle_fasteoi_irq+0xc8/0x11)
> > [ 27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>]
> > (generic_handle_irq+0x30/0x)
> > [ 27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>]
> > (__handle_domain_irq+0x84/0)
> > [ 27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>]
> > (gic_handle_irq+0x48/0x6c)
> > [ 27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>]
> > (__irq_svc+0x40/0x50)
> > [ 27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28)
> >
> > Acked-by: John Youn <johnyoun@...opsys.com>
> > Tested-by: Heiko Stuebner <heiko@...ech.de>
> > Tested-by: Jeffy Chen <jeffy.chen@...k-chips.com>
> > Signed-off-by: Yunzhi Li <lyz@...k-chips.com>
>
> Hi Felipe,
> This patch has been hanging around for a while now. Can you please apply this?
https://git.kernel.org/cgit/linux/kernel/git/balbi/usb.git/commit/?h=testing/next&id=1c2e3377a933af9102f6c57c414c378a52d4e70d
--
balbi
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists