lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <29aadcf136bb4d5285afb4fc5b500b49@SVR-IES-MBX-03.mgc.mentorg.com>
Date:   Wed, 14 Aug 2019 13:32:49 +0000
From:   "Schmid, Carsten" <Carsten_Schmid@...tor.com>
To:     Hans de Goede <hdegoede@...hat.com>
CC:     "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-pci@...r.kernel.org" <linux-pci@...r.kernel.org>
Subject: AW: [PATCH] usb: xhci-pci: reorder removal to avoid use-after-free

> > On driver removal, the platform_device_unregister call
> > attached through devm_add_action_or_reset was executed
> > after usb_hcd_pci_remove.
> > This lead to a use-after-free for the iomem resorce of
> > the xhci-ext-caps driver in the platform removal
> > because the parent of the resource was freed earlier.
> >
> > Fix this by reordering of the removal sequence.
> >
> > Signed-off-by: Carsten Schmid <carsten_schmid@...tor.com>
> 
> Assuming this has been tested, overal this looks good to me.

Tested on 4.14.129, ported to v5.2.7, compiled there.

> 
> But there are 2 things to fix:
> 
> 1) Maybe pick a more descriptive struct member name then pdev.
>     pdev with pci-devices often points to a pci_device ...
>     How about: role_switch_pdev ?

Ok, good point. Had platform dev pdev in mind ...

> 
> 2) xhci_ext_cap_init() is not the last call which can fail in
>     xhci_pci_probe(), since you now no longer use
> devm_add_action_or_reset
>     for auto-cleanup, you must now manually cleanup by calling
>     xhci_ext_cap_remove() when later steps of xhci_pci_probe() fail.
>     it looks like you will need a new ext_cap_remove error-exit label
>     for this put above the put_usb3_hcd label and goto this new label
>     instead of to put_usb3_hcd in all error paths after a successful call
>     to xhci_ext_cap_init()

Right. Will review this path and correct accordingly.

Maybe an additional label isn't required because pdev is only set when
xhci_ext_cap_init created the platform device, and xhci_ext_cap_remove
checks for pdev being set.
So a call to xhci_ext_cap_remove doesn't harm if pdev is not set up yet.
But for readability it might be better to create a label.

Best regards
Carsten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ