lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Fri, 2 Oct 2015 07:09:17 +0000
From:	"Kaukab, Yousaf" <yousaf.kaukab@...el.com>
To:	"balbi@...com" <balbi@...com>
CC:	"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
	"john.youn@...opsys.com" <john.youn@...opsys.com>,
	"lyz@...k-chips.com" <lyz@...k-chips.com>,
	"heiko@...ech.de" <heiko@...ech.de>,
	"cf@...k-chips.com" <cf@...k-chips.com>,
	"hl@...k-chips.com" <hl@...k-chips.com>,
	"yk@...k-chips.com" <yk@...k-chips.com>,
	"gauravsh@...gle.com" <gauravsh@...gle.com>,
	"alberto@...gle.com" <alberto@...gle.com>,
	"wulf@...k-chips.com" <wulf@...k-chips.com>,
	"jwerner@...omium.org" <jwerner@...omium.org>,
	"jeffy.chen@...k-chips.com" <jeffy.chen@...k-chips.com>,
	"Herrero, Gregory" <gregory.herrero@...el.com>,
	"huangtao@...k-chips.com" <huangtao@...k-chips.com>,
	"rockchip-discuss@...omium.org" <rockchip-discuss@...omium.org>,
	"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory
 use-after-free bug

> -----Original Message-----
> From: Felipe Balbi [mailto:balbi@...com]
> Sent: Thursday, October 1, 2015 7:21 PM
> To: Kaukab, Yousaf
> Cc: balbi@...com; linux-usb@...r.kernel.org; john.youn@...opsys.com;
> lyz@...k-chips.com; heiko@...ech.de; cf@...k-chips.com; hl@...k-chips.com;
> yk@...k-chips.com; gauravsh@...gle.com; alberto@...gle.com; wulf@...k-
> chips.com; jwerner@...omium.org; jeffy.chen@...k-chips.com; Herrero,
> Gregory; huangtao@...k-chips.com; rockchip-discuss@...omium.org;
> gregkh@...uxfoundation.org; linux-kernel@...r.kernel.org
> Subject: Re: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory use-after-free
> bug
> 
> On Thu, Oct 01, 2015 at 12:01:48PM +0000, Kaukab, Yousaf wrote:
> > > From: Mian Yousaf Kaukab <yousaf.kaukab@...el.com>
> > > Date: Tue, Sep 29, 2015 at 12:25 PM
> > > Subject: [PATCH v1 Resend] usb: dwc2: gadget: fix a memory
> > > use-after-free bug
> > > To: linux-usb@...r.kernel.org, balbi@...com, john.youn@...opsys.com,
> > > lyz@...k-chips.com
> > > Cc: heiko@...ech.de, cf@...k-chips.com, hl@...k-chips.com, yk@...k-
> > > chips.com, gauravsh@...gle.com, alberto@...gle.com,
> > > wulf@...k-chips.com, jwerner@...omium.org,
> > > jeffy.chen@...k-chips.com, gregory.herrero@...el.com,
> > > huangtao@...k-chips.com, rockchip- discuss@...omium.org,
> > > gregkh@...uxfoundation.org, linux- kernel@...r.kernel.org
> > >
> > >
> > > From: Yunzhi Li <lyz@...k-chips.com>
> > >
> > > When dwc2_hsotg_handle_unaligned_buf_complete() hs_req->req.buf
> > > already destroyed, in dwc2_hsotg_unmap_dma(), it touches
> > > hs_req->req.dma again, so
> > > dwc2_hsotg_unmap_dma() should be called before
> > > dwc2_hsotg_handle_unaligned_buf_complete(). Otherwise, it will cause
> > > a bad_page BUG, when allocate this memory page next time.
> > >
> > > This bug led to the following crash:
> > >
> > > BUG: Bad page state in process swapper/0  pfn:2bdbc
> > > [   26.820440] page:eed76780 count:0 mapcount:0 mapping:  (null)
> index:0x0
> > > [   26.854710] page flags: 0x200(arch_1)
> > > [   26.885836] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag
> set
> > > [   26.919179] bad because of flags:
> > > [   26.948917] page flags: 0x200(arch_1)
> > > [   26.979100] Modules linked in:
> > > [   27.008401] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W3.14.0 #17
> > > [   27.041816] [<c010e1f8>] (unwind_backtrace) from [<c010a704>]
> > > (show_stack+0x20/0x24)
> > > [   27.076108] [<c010a704>] (show_stack) from [<c087eea8>]
> > > (dump_stack+0x70/0x8c)
> > > [   27.110246] [<c087eea8>] (dump_stack) from [<c01ce0b8>]
> > > (bad_page+0xfc/0x12c)
> > > [   27.143958] [<c01ce0b8>] (bad_page) from [<c01ce65c>]
> > > (get_page_from_freelist+0x3e4/0x50c)
> > > [   27.179298] [<c01ce65c>] (get_page_from_freelist) from [<c01ce9a0>]
> > > (__alloc_pages_nodemask)
> > > [   27.216296] [<c01ce9a0>] (__alloc_pages_nodemask) from [<c01cf00c>]
> > > (__get_free_pages+0x20/)
> > > [   27.252326] [<c01cf00c>] (__get_free_pages) from [<c01e5bec>]
> > > (kmalloc_order_trace+0x34/0xa)
> > > [   27.288295] [<c01e5bec>] (kmalloc_order_trace) from [<c0203304>]
> > > (__kmalloc+0x40/0x1ac)
> > > [   27.323751] [<c0203304>] (__kmalloc) from [<c052abc0>]
> > > (dwc2_hsotg_ep_queue.isra.12+0x7c/0x1)
> > > [   27.359937] [<c052abc0>] (dwc2_hsotg_ep_queue.isra.12) from
> > > [<c052af88>] (dwc2_hsotg_ep_queue)
> > > [   27.397478] [<c052af88>] (dwc2_hsotg_ep_queue_lock) from
> > > [<c0554110>] (rx_submit+0xfc/0x164)
> > > [   27.433619] [<c0554110>] (rx_submit) from [<c05546e8>]
> > > (rx_complete+0x22c/0x230)
> > > [   27.468872] [<c05546e8>] (rx_complete) from [<c052b528>]
> > > (dwc2_hsotg_complete_request+0xfc/0)
> > > [   27.506240] [<c052b528>] (dwc2_hsotg_complete_request) from
> > > [<c052bba0>] (dwc2_hsotg_handle_o)
> > > [   27.545401] [<c052bba0>] (dwc2_hsotg_handle_outdone) from
> > > [<c052be70>] (dwc2_hsotg_epint+0x2c)
> > > [   27.583689] [<c052be70>] (dwc2_hsotg_epint) from [<c052c750>]
> > > (dwc2_hsotg_irq+0x1dc/0x4ac)
> > > [   27.621041] [<c052c750>] (dwc2_hsotg_irq) from [<c01682e0>]
> > > (handle_irq_event_percpu+0x70/0x)
> > > [   27.659066] [<c01682e0>] (handle_irq_event_percpu) from
> > > [<c01684ec>] (handle_irq_event+0x4c)
> > > [   27.697322] [<c01684ec>] (handle_irq_event) from [<c016bae0>]
> > > (handle_fasteoi_irq+0xc8/0x11)
> > > [   27.735451] [<c016bae0>] (handle_fasteoi_irq) from [<c0167b8c>]
> > > (generic_handle_irq+0x30/0x)
> > > [   27.773918] [<c0167b8c>] (generic_handle_irq) from [<c0167ca4>]
> > > (__handle_domain_irq+0x84/0)
> > > [   27.812018] [<c0167ca4>] (__handle_domain_irq) from [<c01003b0>]
> > > (gic_handle_irq+0x48/0x6c)
> > > [   27.849695] [<c01003b0>] (gic_handle_irq) from [<c010b340>]
> > > (__irq_svc+0x40/0x50)
> > > [   27.886907] Exception stack(0xc0d01ee0 to 0xc0d01f28)
> > >
> > > Acked-by: John Youn <johnyoun@...opsys.com>
> > > Tested-by: Heiko Stuebner <heiko@...ech.de>
> > > Tested-by: Jeffy Chen <jeffy.chen@...k-chips.com>
> > > Signed-off-by: Yunzhi Li <lyz@...k-chips.com>
> >
> > Hi Felipe,
> > This patch has been hanging around for a while now. Can you please apply
> this?
> 
> https://git.kernel.org/cgit/linux/kernel/git/balbi/usb.git/commit/?h=testing/nex
> t&id=1c2e3377a933af9102f6c57c414c378a52d4e70d

Thanks!

> 
> --
> balbi

BR,
Yousaf
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists