| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Jan 2020 13:41:05 +0100
From: Andrey Konovalov <andreyknvl@...gle.com>
To: Hillf Danton <hdanton@...a.com>
Cc: Laurent Pinchart <laurent.pinchart@...asonboard.com>,
syzbot <syzbot+75287f75e2fedd69d680@...kaller.appspotmail.com>,
bnvandana@...il.com, hverkuil-cisco@...all.nl,
LKML <linux-kernel@...r.kernel.org>, linux-media@...r.kernel.org,
USB list <linux-usb@...r.kernel.org>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Hans Verkuil <hans.verkuil@...co.com>
Subject: Re: KASAN: use-after-free Read in v4l2_release (3)
On Fri, Jan 24, 2020 at 3:29 AM Hillf Danton <hdanton@...a.com> wrote:
>
>
> On Thu, 23 Jan 2020 14:19:47 +0200 Laurent Pinchart wrote:
> > On Thu, Jan 23, 2020 at 06:27:07PM +0800, Hillf Danton wrote:
> > > Wed, 22 Jan 2020 14:58:08 -0800 (PST)
> > > > syzbot has found a reproducer for the following crash on:
> > > >
> > > > HEAD commit: 4cc301ee usb: gadget: add raw-gadget interface
> > > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=17f5a721e00000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=9ba75825443d54bd
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=75287f75e2fedd69d680
> > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a0b6f1e00000
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1327dd76e00000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: syzbot+75287f75e2fedd69d680@...kaller.appspotmail.com
> > > >
> > > > usbvision_set_audio: can't write iopin register for audio switching
> > > > usbvision_radio_close: Final disconnect
> > > > ==================================================================
> > > > BUG: KASAN: use-after-free in v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
> > > > Read of size 4 at addr ffff8881caba1068 by task v4l_id/1913
>
> <snip>
>
> > > Add the release callback for usbvision video device and use it to release
> > > resources when the last reference to the device goes away.
> >
> > Would you be able to submit this with a commit message and your
> > Signed-off-by line ?
>
> ---8<---
> Subject: [PATCH] media: usbvision: add the release callback for video device
> From: Hillf Danton <hdanton@...a.com>
>
> To fix the UAF syzbot reported,
>
> BUG: KASAN: use-after-free in v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
>
> a release cb which is a simple wrapper of usbvision_release() is added
> for releasing resources as the last reference to the usbvision video
> device goes away.
>
> Reported-by: syzbot <syzbot+75287f75e2fedd69d680@...kaller.appspotmail.com>
> Fixes: 2aa689dd8057 ("[media] usbvision: embed video_device")
> Cc: Hans Verkuil <hans.verkuil@...co.com>
> Signed-off-by: Hillf Danton <hdanton@...a.com>
> ---
>
> --- a/drivers/media/usb/usbvision/usbvision-video.c
> +++ b/drivers/media/usb/usbvision/usbvision-video.c
> @@ -401,7 +401,6 @@ static int usbvision_v4l2_close(struct f
>
> if (r) {
> printk(KERN_INFO "%s: Final disconnect\n", __func__);
> - usbvision_release(usbvision);
> return 0;
> }
>
> @@ -409,6 +408,11 @@ static int usbvision_v4l2_close(struct f
> return v4l2_fh_release(file);
> }
>
> +static void usbvision_video_device_release(struct video_device *vdev)
> +{
> + struct usb_usbvision *usbvision = video_get_drvdata(vdev);
> + usbvision_release(usbvision);
> +}
>
> /*
> * usbvision_ioctl()
> @@ -1181,7 +1185,7 @@ static struct video_device usbvision_vid
> .fops = &usbvision_fops,
> .ioctl_ops = &usbvision_ioctl_ops,
> .name = "usbvision-video",
> - .release = video_device_release_empty,
> + .release = usbvision_video_device_release,
> .tvnorms = USBVISION_NORMS,
> };
>
> --- a/drivers/media/v4l2-core/v4l2-dev.c
> +++ b/drivers/media/v4l2-core/v4l2-dev.c
> @@ -206,7 +206,10 @@ static void v4l2_device_release(struct d
> }
> #endif
>
> - /* Do not call v4l2_device_put if there is no release callback set.
> + /*
> + * Decrease v4l2_device refcount
> + *
> + * Do not call v4l2_device_put if there is no release callback set.
> * Drivers that have no v4l2_device release callback might free the
> * v4l2_dev instance in the video_device release callback below, so we
> * must perform this check here.
> @@ -214,16 +217,12 @@ static void v4l2_device_release(struct d
> * TODO: In the long run all drivers that use v4l2_device should use the
> * v4l2_device release callback. This check will then be unnecessary.
> */
> - if (v4l2_dev->release == NULL)
> - v4l2_dev = NULL;
> + if (v4l2_dev->release)
> + v4l2_device_put(v4l2_dev);
>
> /* Release video_device and perform other
> cleanups as needed. */
> vdev->release(vdev);
> -
> - /* Decrease v4l2_device refcount */
> - if (v4l2_dev)
> - v4l2_device_put(v4l2_dev);
> }
>
> static struct class video_class = {
> --
#syz test: https://github.com/google/kasan.git ae179410
Download attachment "usbvision.patch" of type "application/x-patch" (2585 bytes)
Powered by blists - more mailing lists