lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 30 Dec 2021 14:46:00 -0500
From:   Alan Stern <stern@...land.harvard.edu>
To:     Hangyu Hua <hbh25y@...il.com>
Cc:     balbi@...nel.org, gregkh@...uxfoundation.org, axboe@...nel.dk,
        jj251510319013@...il.com, dan.carpenter@...cle.com,
        linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 2/2] usb: gadget: clear related members when goto fail

On Thu, Dec 30, 2021 at 01:11:32PM +0800, Hangyu Hua wrote:
> dev->config and dev->hs_config and dev->dev need to be cleaned if
> dev_config fails to avoid UAF.
> 
> Acked-by: Alan Stern <stern@...land.harvard.edu>

You must not do this.  I never sent you an Acked-by for this patch; you 
shouldn't claim that I did.

> Signed-off-by: Hangyu Hua <hbh25y@...il.com>
> ---
>  drivers/usb/gadget/legacy/inode.c | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
> index eaad03c0252f..d2e88f3b9131 100644
> --- a/drivers/usb/gadget/legacy/inode.c
> +++ b/drivers/usb/gadget/legacy/inode.c
> @@ -1847,7 +1847,7 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
>  		total = le16_to_cpu(dev->hs_config->wTotalLength);
>  		if (!is_valid_config(dev->hs_config, total) ||
>  				total > length - USB_DT_DEVICE_SIZE)
> -			goto fail;
> +			goto fail1;
>  		kbuf += total;
>  		length -= total;
>  	} else {
> @@ -1858,12 +1858,12 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
>  
>  	/* device descriptor (tweaked for paranoia) */
>  	if (length != USB_DT_DEVICE_SIZE)
> -		goto fail;
> +		goto fail1;
>  	dev->dev = (void *)kbuf;
>  	if (dev->dev->bLength != USB_DT_DEVICE_SIZE
>  			|| dev->dev->bDescriptorType != USB_DT_DEVICE
>  			|| dev->dev->bNumConfigurations != 1)
> -		goto fail;
> +		goto fail2;
>  	dev->dev->bcdUSB = cpu_to_le16 (0x0200);
>  
>  	/* triggers gadgetfs_bind(); then we can enumerate. */
> @@ -1875,6 +1875,9 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
>  
>  	value = usb_gadget_probe_driver(&gadgetfs_driver);
>  	if (value != 0) {
> +		dev->dev = NULL;
> +		dev->hs_config = NULL;
> +		dev->config = NULL;
>  		kfree (dev->buf);
>  		dev->buf = NULL;

Why not just grep the lock and goto fail?

>  	} else {
> @@ -1892,7 +1895,12 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
>  	}
>  	return value;
>  
> +fail2:
> +	dev->dev = NULL;
> +fail1:
> +	dev->hs_config = NULL;

It is not necessary to have all these different statement labels.  You 
can simply have "fail:" clear all three pointers.

>  fail:
> +	dev->config = NULL;
>  	spin_unlock_irq (&dev->lock);
>  	pr_debug ("%s: %s fail %zd, %p\n", shortname, __func__, value, dev);
>  	kfree (dev->buf);

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ