lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 06 Feb 2021 09:28:51 +0100
From:   Takashi Iwai <tiwai@...e.de>
To:     Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>
Cc:     Hillf Danton <hdanton@...a.com>, zonque@...il.com,
        LKML <linux-kernel@...r.kernel.org>, alsa-devel@...a-project.org,
        linux-usb@...r.kernel.org
Subject: Re: BUG: KASAN: use-after-free in snd_complete_urb+0x109e/0x1740 [snd_usb_audio] (5.11-rc6)

On Sat, 06 Feb 2021 08:48:05 +0100,
Takashi Iwai wrote:
> 
> On Sat, 06 Feb 2021 06:45:32 +0100,
> Hillf Danton wrote:
> > 
> > Due to the reconnecting key word mentioned, no fix to
> > d0f09d1e4a88 ("ALSA: usb-audio: Refactoring endpoint URB deactivation")
> > will be added.
> > 
> > What is added is to capture EP_FLAG_STOPPING and remove the one
> > second wait limit if the reconnecting acts may make it easier to
> > repro the uaf. The diff is only for idea show.
> 
> If my understanding is right, this won't change.  The problem is
> rather the lack of this function call itself, i.e. the missing
> synchronization for the stream stop.
> 
> It worked casually in the past because the endpoint resource is
> released at a later point that is after all streams are really closed.
> Now it's released earlier and hitting the UAF.

... and reading the code in a closer look, my guess was also wrong.
The sync should have happened in snd_usb_endpoint_release(), and this
didn't change for quite some time.  So my previous fix won't be
effective, too, I'm afraid.  (And Hilif's patch won't help, either; if
it's effective, there must have been a timeout error in the original
case.)

That said, I don't think this is a newly introduced regression, and
race the condition could be in a hairy detail.

Mikhail, can you reproduce this bug reliably?


Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ