lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAeHK+wY+35uBvr0=FnKsWOj91QhXuVE++V7frn5AihAPLvo5Q@mail.gmail.com>
Date:   Tue, 10 Dec 2019 21:06:20 +0100
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     syzbot <syzbot+c7b0ec009a216143df30@...kaller.appspotmail.com>,
        Hans Verkuil <hverkuil@...all.nl>,
        Souptick Joarder <jrdr.linux@...il.com>,
        LKML <linux-kernel@...r.kernel.org>, linux-media@...r.kernel.org,
        USB list <linux-usb@...r.kernel.org>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Richard Fontana <rfontana@...hat.com>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Thomas Gleixner <tglx@...utronix.de>
Subject: Re: KASAN: use-after-free Read in usbvision_v4l2_open

On Tue, Dec 10, 2019 at 8:48 PM Alan Stern <stern@...land.harvard.edu> wrote:
>
> On Mon, 9 Dec 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    1f22d15c usb: gadget: add raw-gadget interface
> > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1296f42ae00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=8ccee2968018adcb
> > dashboard link: https://syzkaller.appspot.com/bug?extid=c7b0ec009a216143df30
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+c7b0ec009a216143df30@...kaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in __mutex_lock_common
> > kernel/locking/mutex.c:1043 [inline]
> > BUG: KASAN: use-after-free in __mutex_lock+0x124d/0x1360
> > kernel/locking/mutex.c:1106
> > Read of size 8 at addr ffff8881cad4d8b8 by task v4l_id/4526
> >
> > CPU: 0 PID: 4526 Comm: v4l_id Not tainted 5.4.0-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0xef/0x16e lib/dump_stack.c:118
> >   print_address_description.constprop.0+0x36/0x50 mm/kasan/report.c:374
> >   __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:506
> >   kasan_report+0xe/0x20 mm/kasan/common.c:638
> >   __mutex_lock_common kernel/locking/mutex.c:1043 [inline]
> >   __mutex_lock+0x124d/0x1360 kernel/locking/mutex.c:1106
> >   usbvision_v4l2_open+0x77/0x340
> > drivers/media/usb/usbvision/usbvision-video.c:314
> >   v4l2_open+0x20f/0x3d0 drivers/media/v4l2-core/v4l2-dev.c:423
> >   chrdev_open+0x219/0x5c0 fs/char_dev.c:414
> >   do_dentry_open+0x494/0x1120 fs/open.c:797
> >   do_last fs/namei.c:3412 [inline]
> >   path_openat+0x142b/0x4030 fs/namei.c:3529
> >   do_filp_open+0x1a1/0x280 fs/namei.c:3559
> >   do_sys_open+0x3c0/0x580 fs/open.c:1097
> >   do_syscall_64+0xb7/0x5b0 arch/x86/entry/common.c:294
> >   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> This looks like a race in v4l2_open(): The function drops the
> videodev_lock mutex before calling the video driver's open routine, and
> the device can be unregistered during the short time between.
>
> This patch tries to make the race much more likely to happen, for
> testing and verification.
>
> Andrey, will syzbot run the same test with this patch, even though it
> says it doesn't have a reproducer?

Hi Alan,

No, unfortunately there's nothing to run if there's no reproducer.
It's technically possible to run the same program log that triggered
the bug initially, but since the bug wasn't reproduced with this log
even without the patch, there isn't much sense in running it with the
patch applied.

Thanks!

>
> Alan Stern
>
> #syz test: https://github.com/google/kasan.git 1f22d15c
>
> Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
> ===================================================================
> --- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
> +++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
> @@ -1585,6 +1585,7 @@ static void usbvision_disconnect(struct
>                 wake_up_interruptible(&usbvision->wait_frame);
>                 wake_up_interruptible(&usbvision->wait_stream);
>         } else {
> +               msleep(100);
>                 usbvision_release(usbvision);
>         }
>
> Index: usb-devel/drivers/media/v4l2-core/v4l2-dev.c
> ===================================================================
> --- usb-devel.orig/drivers/media/v4l2-core/v4l2-dev.c
> +++ usb-devel/drivers/media/v4l2-core/v4l2-dev.c
> @@ -419,9 +419,10 @@ static int v4l2_open(struct inode *inode
>         video_get(vdev);
>         mutex_unlock(&videodev_lock);
>         if (vdev->fops->open) {
> -               if (video_is_registered(vdev))
> +               if (video_is_registered(vdev)) {
> +                       msleep(200);
>                         ret = vdev->fops->open(filp);
> -               else
> +               } else
>                         ret = -ENODEV;
>         }
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ