lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1134d446-3189-4f2d-81b4-10142e751320@rowland.harvard.edu>
Date:   Sat, 12 Aug 2023 11:56:36 -0400
From:   Alan Stern <stern@...land.harvard.edu>
To:     syzbot <syzbot+d6b0b0ea0781c14b2ecf@...kaller.appspotmail.com>,
        Oliver Neukum <oneukum@...e.com>
Cc:     arnd@...db.de, christian.brauner@...ntu.com,
        gregkh@...uxfoundation.org, hdanton@...a.com,
        linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
        mpe@...erman.id.au, oleg@...hat.com,
        syzkaller-bugs@...glegroups.com, web@...kaller.appspotmail.com
Subject: Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in
 usb_anchor_suspend_wakeups

On Sat, Aug 12, 2023 at 02:51:30AM -0700, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit 9b4feb630e8e9801603f3cab3a36369e3c1cf88d
> Author: Christian Brauner <christian.brauner@...ntu.com>
> Date:   Fri May 24 09:31:44 2019 +0000
> 
>     arch: wire-up close_range()
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1323329ba80000
> start commit:   89d77f71f493 Merge tag 'riscv-for-linus-6.4-mw1' of git://..
> git tree:       upstream
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=10a3329ba80000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1723329ba80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d963e7536cbe545e
> dashboard link: https://syzkaller.appspot.com/bug?extid=d6b0b0ea0781c14b2ecf
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11471b84280000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10b98e2c280000
> 
> Reported-by: syzbot+d6b0b0ea0781c14b2ecf@...kaller.appspotmail.com
> Fixes: 9b4feb630e8e ("arch: wire-up close_range()")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

This attribution is extremely unlikely.

The real problem seems to be some sort of race in usbtmc and the core 
between URBs being added to an anchor, file I/O being stopped, and URBs 
being killed or scuttled when the file is flushed.

The bug is caused by an URB completing after (or while) its anchor is 
deallocated.  Note that __usb_hcd_giveback_urb() removes an URB from its 
anchor before calling the completion routine, but dereferences the 
anchor afterward.  The anchor could easily be deallocated during that 
window.

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ