lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 06 Feb 2021 13:19:11 +0100
From:   Takashi Iwai <tiwai@...e.de>
To:     Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>
Cc:     Hillf Danton <hdanton@...a.com>, zonque@...il.com,
        LKML <linux-kernel@...r.kernel.org>, alsa-devel@...a-project.org,
        linux-usb@...r.kernel.org
Subject: Re: BUG: KASAN: use-after-free in snd_complete_urb+0x109e/0x1740 [snd_usb_audio] (5.11-rc6)

On Sat, 06 Feb 2021 09:28:51 +0100,
Takashi Iwai wrote:
> 
> On Sat, 06 Feb 2021 08:48:05 +0100,
> Takashi Iwai wrote:
> > 
> > On Sat, 06 Feb 2021 06:45:32 +0100,
> > Hillf Danton wrote:
> > > 
> > > Due to the reconnecting key word mentioned, no fix to
> > > d0f09d1e4a88 ("ALSA: usb-audio: Refactoring endpoint URB deactivation")
> > > will be added.
> > > 
> > > What is added is to capture EP_FLAG_STOPPING and remove the one
> > > second wait limit if the reconnecting acts may make it easier to
> > > repro the uaf. The diff is only for idea show.
> > 
> > If my understanding is right, this won't change.  The problem is
> > rather the lack of this function call itself, i.e. the missing
> > synchronization for the stream stop.
> > 
> > It worked casually in the past because the endpoint resource is
> > released at a later point that is after all streams are really closed.
> > Now it's released earlier and hitting the UAF.
> 
> ... and reading the code in a closer look, my guess was also wrong.
> The sync should have happened in snd_usb_endpoint_release(), and this
> didn't change for quite some time.  So my previous fix won't be
> effective, too, I'm afraid.  (And Hilif's patch won't help, either; if
> it's effective, there must have been a timeout error in the original
> case.)
> 
> That said, I don't think this is a newly introduced regression, and
> race the condition could be in a hairy detail.
> 
> Mikhail, can you reproduce this bug reliably?

And if you can reproduce the problem, please try the
topic/pcm-sync-stop-fixes branch of my sound git tree
  git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git


Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ