lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c5599433-3eb0-3918-d93b-6860f7951e92@codeaurora.org>
Date:   Fri, 23 Apr 2021 12:10:57 -0700
From:   Wesley Cheng <wcheng@...eaurora.org>
To:     Felipe Balbi <balbi@...nel.org>, gregkh@...uxfoundation.org,
        peter.chen@...nel.org
Cc:     linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
        Hemant Kumar <hemantk@...eaurora.org>, stable@...r.kernel.org
Subject: Re: [PATCH v2] usb: gadget: Fix double free of device descriptor
 pointers



On 4/22/2021 4:01 AM, Felipe Balbi wrote:
> 
> Hi,
> 
> Wesley Cheng <wcheng@...eaurora.org> writes:
> 
>> From: Hemant Kumar <hemantk@...eaurora.org>
>>
>> Upon driver unbind usb_free_all_descriptors() function frees all
>> speed descriptor pointers without setting them to NULL. In case
>> gadget speed changes (i.e from super speed plus to super speed)
>> after driver unbind only upto super speed descriptor pointers get
>> populated. Super speed plus desc still holds the stale (already
>> freed) pointer. Fix this issue by setting all descriptor pointers
>> to NULL after freeing them in usb_free_all_descriptors().
> 
> could you describe this a little better? How can one trigger this case?
> Is the speed demotion happening after unbinding? It's not clear how to
> cause this bug.
> 
Hi Felipe,

Internally, we have a mechanism to switch the DWC3 core maximum speed
parameter dynamically for displayport use cases.  This issue happens
whenever we have a maximum speed change occur on the USB gadget, which
for DWC3 happens whenever we call gadget init.  When we switch in and
out of host mode, gadget init is being executed, leading to the change
in the USB gadget max speed parameter:

dwc->gadget->max_speed		= dwc->maximum_speed;

I know that configFS gadget has the max_speed sysfs file, which is a
similar mechanism, but I haven't tried to see if we can reproduce the
same issue with it.  Let me see if we can reproduce this with that
configfs speed setting.

Thanks
Wesley Cheng

-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ