lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44L0.1912101440100.1647-100000@iolanthe.rowland.org>
Date:   Tue, 10 Dec 2019 14:47:59 -0500 (EST)
From:   Alan Stern <stern@...land.harvard.edu>
To:     syzbot <syzbot+c7b0ec009a216143df30@...kaller.appspotmail.com>
cc:     andreyknvl@...gle.com, <hverkuil@...all.nl>,
        <jrdr.linux@...il.com>, <linux-kernel@...r.kernel.org>,
        <linux-media@...r.kernel.org>, <linux-usb@...r.kernel.org>,
        <mchehab@...nel.org>, <rfontana@...hat.com>,
        <syzkaller-bugs@...glegroups.com>, <tglx@...utronix.de>
Subject: Re: KASAN: use-after-free Read in usbvision_v4l2_open

On Mon, 9 Dec 2019, syzbot wrote:

> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    1f22d15c usb: gadget: add raw-gadget interface
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=1296f42ae00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=8ccee2968018adcb
> dashboard link: https://syzkaller.appspot.com/bug?extid=c7b0ec009a216143df30
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> 
> Unfortunately, I don't have any reproducer for this crash yet.
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+c7b0ec009a216143df30@...kaller.appspotmail.com
> 
> ==================================================================
> BUG: KASAN: use-after-free in __mutex_lock_common  
> kernel/locking/mutex.c:1043 [inline]
> BUG: KASAN: use-after-free in __mutex_lock+0x124d/0x1360  
> kernel/locking/mutex.c:1106
> Read of size 8 at addr ffff8881cad4d8b8 by task v4l_id/4526
> 
> CPU: 0 PID: 4526 Comm: v4l_id Not tainted 5.4.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0xef/0x16e lib/dump_stack.c:118
>   print_address_description.constprop.0+0x36/0x50 mm/kasan/report.c:374
>   __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:506
>   kasan_report+0xe/0x20 mm/kasan/common.c:638
>   __mutex_lock_common kernel/locking/mutex.c:1043 [inline]
>   __mutex_lock+0x124d/0x1360 kernel/locking/mutex.c:1106
>   usbvision_v4l2_open+0x77/0x340  
> drivers/media/usb/usbvision/usbvision-video.c:314
>   v4l2_open+0x20f/0x3d0 drivers/media/v4l2-core/v4l2-dev.c:423
>   chrdev_open+0x219/0x5c0 fs/char_dev.c:414
>   do_dentry_open+0x494/0x1120 fs/open.c:797
>   do_last fs/namei.c:3412 [inline]
>   path_openat+0x142b/0x4030 fs/namei.c:3529
>   do_filp_open+0x1a1/0x280 fs/namei.c:3559
>   do_sys_open+0x3c0/0x580 fs/open.c:1097
>   do_syscall_64+0xb7/0x5b0 arch/x86/entry/common.c:294
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe

This looks like a race in v4l2_open(): The function drops the
videodev_lock mutex before calling the video driver's open routine, and
the device can be unregistered during the short time between.

This patch tries to make the race much more likely to happen, for 
testing and verification.

Andrey, will syzbot run the same test with this patch, even though it 
says it doesn't have a reproducer?

Alan Stern

#syz test: https://github.com/google/kasan.git 1f22d15c

Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
@@ -1585,6 +1585,7 @@ static void usbvision_disconnect(struct
 		wake_up_interruptible(&usbvision->wait_frame);
 		wake_up_interruptible(&usbvision->wait_stream);
 	} else {
+		msleep(100);
 		usbvision_release(usbvision);
 	}
 
Index: usb-devel/drivers/media/v4l2-core/v4l2-dev.c
===================================================================
--- usb-devel.orig/drivers/media/v4l2-core/v4l2-dev.c
+++ usb-devel/drivers/media/v4l2-core/v4l2-dev.c
@@ -419,9 +419,10 @@ static int v4l2_open(struct inode *inode
 	video_get(vdev);
 	mutex_unlock(&videodev_lock);
 	if (vdev->fops->open) {
-		if (video_is_registered(vdev))
+		if (video_is_registered(vdev)) {
+			msleep(200);
 			ret = vdev->fops->open(filp);
-		else
+		} else
 			ret = -ENODEV;
 	}
 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ