lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1615444961-13376-1-git-send-email-macpaul.lin@mediatek.com>
Date:   Thu, 11 Mar 2021 14:42:41 +0800
From:   Macpaul Lin <macpaul.lin@...iatek.com>
To:     Jim Lin <jilin@...dia.com>,
        Thadeu Lima de Souza Cascardo <cascardo@...onical.com>,
        Felipe Balbi <balbi@...nel.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Matthias Brugger <matthias.bgg@...il.com>,
        <linux-usb@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <linux-arm-kernel@...ts.infradead.org>,
        <linux-mediatek@...ts.infradead.org>
CC:     Ainge Hsu <ainge.hsu@...iatek.com>,
        Eddie Hung <eddie.hung@...iatek.com>,
        Kuohong Wang <kuohong.wang@...iatek.com>,
        Mediatek WSD Upstream <wsd_upstream@...iatek.com>,
        Macpaul Lin <macpaul.lin@...iatek.com>,
        Macpaul Lin <macpaul@...il.com>, <stable@...r.kernel.org>
Subject: [PATCH v4] usb: gadget: configfs: Fix KASAN use-after-free

From: Jim Lin <jilin@...dia.com>

When gadget is disconnected, running sequence is like this.
. composite_disconnect
. Call trace:
  usb_string_copy+0xd0/0x128
  gadget_config_name_configuration_store+0x4
  gadget_config_name_attr_store+0x40/0x50
  configfs_write_file+0x198/0x1f4
  vfs_write+0x100/0x220
  SyS_write+0x58/0xa8
. configfs_composite_unbind
. configfs_composite_bind

In configfs_composite_bind, it has
"cn->strings.s = cn->configuration;"

When usb_string_copy is invoked. it would
allocate memory, copy input string, release previous pointed memory space,
and use new allocated memory.

When gadget is connected, host sends down request to get information.
Call trace:
  usb_gadget_get_string+0xec/0x168
  lookup_string+0x64/0x98
  composite_setup+0xa34/0x1ee8

If gadget is disconnected and connected quickly, in the failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".

When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
memory is accessed, "BUG: KASAN: use-after-free" error occurs.

Signed-off-by: Jim Lin <jilin@...dia.com>
Signed-off-by: Macpaul Lin <macpaul.lin@...iatek.com>
Cc: stable@...r.kernel.org
---
Changes in v2:
Changes in v3:
 - Change commit description
Changes in v4:
 - Fix build error and adapt patch to kernel-5.12-rc1.
   Replace definition "MAX_USB_STRING_WITH_NULL_LEN" with
   "USB_MAX_STRING_WITH_NULL_LEN".
 - Note: The patch v2 and v3 has been verified by
   Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
   http://spinics.net/lists/kernel/msg3840792.html
   and
   Macpaul Lin <macpaul.lin@...iatek.com> on Android kernels.
   http://lkml.org/lkml/2020/6/11/8
 - The patch is suggested to be applied to LTS versions.

 drivers/usb/gadget/configfs.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index 0d56f33..15a607c 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -97,6 +97,8 @@ struct gadget_config_name {
 	struct list_head list;
 };
 
+#define USB_MAX_STRING_WITH_NULL_LEN	(USB_MAX_STRING_LEN+1)
+
 static int usb_string_copy(const char *s, char **s_copy)
 {
 	int ret;
@@ -106,12 +108,16 @@ static int usb_string_copy(const char *s, char **s_copy)
 	if (ret > USB_MAX_STRING_LEN)
 		return -EOVERFLOW;
 
-	str = kstrdup(s, GFP_KERNEL);
-	if (!str)
-		return -ENOMEM;
+	if (copy) {
+		str = copy;
+	} else {
+		str = kmalloc(USB_MAX_STRING_WITH_NULL_LEN, GFP_KERNEL);
+		if (!str)
+			return -ENOMEM;
+	}
+	strcpy(str, s);
 	if (str[ret - 1] == '\n')
 		str[ret - 1] = '\0';
-	kfree(copy);
 	*s_copy = str;
 	return 0;
 }
-- 
1.7.9.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ