lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Thu, 11 Jun 2020 12:24:36 +0800
From:   Macpaul Lin <macpaul.lin@...iatek.com>
To:     Macpaul Lin <macpaul@...il.com>, Jim Lin <jilin@...dia.com>,
        "Felipe Balbi" <balbi@...nel.org>, <linux-usb@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>,
        Greg KH <gregkh@...uxfoundation.org>,
        "Steve Beattie" <steve.beattie@...onical.com>,
        Kees Cook <keescook@...omium.org>,
        Steve Beattie <steve.beattie@...onical.com>,
        Siqi Lin <siqilin@...gle.com>
Subject: Re: [PATCH v2] usb: gadget: configfs: Fix KASAN use-after-free

On Thu, 2017-09-01 at 10:25:32 -0700, Kees Cook wrote:
> Subject: Re: [PATCH v2] usb: gadget: configfs: Fix KASAN use-after-free
> To: Jim Lin <jilin@...dia.com>
> Cc: Felipe Balbi <balbi@...nel.org>, <linux-usb@...r.kernel.org>, LKML
> <linux-kernel@...r.kernel.org>, Greg KH <gregkh@...uxfoundation.org>,
> Steve Beattie <steve.beattie@...onical.com>
> 
> 
> On Tue, Jan 17, 2017 at 1:29 AM, Jim Lin <jilin@...dia.com> wrote:
> > When gadget is disconnected, running sequence is like this.
> > . composite_disconnect
> > . Call trace:
> >   usb_string_copy+0xd0/0x128
> >   gadget_config_name_configuration_store+0x4
> >   gadget_config_name_attr_store+0x40/0x50
> >   configfs_write_file+0x198/0x1f4
> >   vfs_write+0x100/0x220
> >   SyS_write+0x58/0xa8
> > . configfs_composite_unbind
> > . configfs_composite_bind
> >
> > In configfs_composite_bind, it has
> > "cn->strings.s = cn->configuration;"
> >
> > When usb_string_copy is invoked. it would
> > allocate memory, copy input string, release previous pointed memory space,
> > and use new allocated memory.
> >
> > When gadget is connected, host sends down request to get information.
> > Call trace:
> >   usb_gadget_get_string+0xec/0x168
> >   lookup_string+0x64/0x98
> >   composite_setup+0xa34/0x1ee8
> >   android_setup+0xb4/0x140
> >
> > If gadget is disconnected and connected quickly, in the failed case,
> > cn->configuration memory has been released by usb_string_copy kfree but
> > configfs_composite_bind hasn't been run in time to assign new allocated
> > "cn->configuration" pointer to "cn->strings.s".
> >
> > When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
> > memory is accessed, "BUG: KASAN: use-after-free" error occurs.
> >
> > Signed-off-by: Jim Lin <jilin@...dia.com>
> 
> Hi! What's the current state of this patch?

Mediatek is using this bug fix in Android kernel 3.18, 4.4, 4.9, 4.14
and 4.19. Kernel code nowadays.

Since there are news that Google is planning to use Generic Kernel Image
(GKI) for future Android. Should this patch be refined and adapt into
Linux?

Dear Jim and Siqi, according to Felipe's mail before, do you have
environments to test it on a Linux environment like on PC? Maybe on some
embedded environment not using Android or Chromium OS? I don't have that
kind of environment in my office hence I just couldn't provide a help to
do the test.

> > ---
> > Changes in v2:
> >  Rephrase commit description
> >
> >  drivers/usb/gadget/configfs.c | 15 +++++++++++----
> >  1 file changed, 11 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
> > index 78c4497..39fea62 100644
> > --- a/drivers/usb/gadget/configfs.c
> > +++ b/drivers/usb/gadget/configfs.c
> > @@ -106,6 +106,9 @@ struct gadget_config_name {
> >         struct list_head list;
> >  };
> >
> > +#define MAX_USB_STRING_LEN     126
> > +#define MAX_USB_STRING_WITH_NULL_LEN   (MAX_USB_STRING_LEN+1)
> > +
> >  static int usb_string_copy(const char *s, char **s_copy)
> >  {
> >         int ret;
> > @@ -115,12 +118,16 @@ static int usb_string_copy(const char *s, char **s_copy)
> >         if (ret > 126)
> 
> This should be MAX_USB_STRING_LEN, yes?
> 
> >                 return -EOVERFLOW;
> >
> > -       str = kstrdup(s, GFP_KERNEL);
> > -       if (!str)
> > -               return -ENOMEM;
> > +       if (copy) {
> > +               str = copy;
> > +       } else {
> > +               str = kmalloc(MAX_USB_STRING_WITH_NULL_LEN, GFP_KERNEL);
> > +               if (!str)
> > +                       return -ENOMEM;
> > +       }
> > +       strcpy(str, s);
> >         if (str[ret - 1] == '\n')
> >                 str[ret - 1] = '\0';
> > -       kfree(copy);
> >         *s_copy = str;
> >         return 0;
> >  }
> > --
> > 2.7.4
> >
> 
> -Kees

Thank you very much.
Macpaul Lin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ