lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 17 Apr 2024 10:23:51 -0400
From: Alan Stern <stern@...land.harvard.edu>
To: Sam Sun <samsun1006219@...il.com>
Cc: linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
  Greg KH <gregkh@...uxfoundation.org>, swboyd@...omium.org,
  ricardo@...liere.net, hkallweit1@...il.com, heikki.krogerus@...ux.intel.com,
  mathias.nyman@...ux.intel.com, royluo@...gle.com,
  syzkaller-bugs@...glegroups.com, xrivendell7@...il.com
Subject: Re: [Linux kernel bug] general protection fault in disable_store

On Wed, Apr 17, 2024 at 03:39:02PM +0800, Sam Sun wrote:
> On Wed, Apr 17, 2024 at 12:35 AM Alan Stern <stern@...land.harvard.edu> wrote:
> > It turns out that patch is no good.  The reason is mentioned in the
> > changelog for commit 543d7784b07f ("USB: fix race between hub_disconnect
> > and recursively_mark_NOTATTACHED"); it says that the port devices have to
> > be removed _after_ maxchild has been set to 0.
> >
> 
> I checked the commit you mentioned. Maybe your first fix is all we
> need to fix the problem? At least no race would occur for
> hdev->maxchild and usb_set_intfdata().

No, the first patch won't help, even though it passed your testing.  The 
race it eliminates is a harmless one -- or at least, it's harmless in 
this context.  If usb_hub_to_struct_hub() sees bad values for 
hdev->maxchild or usb_get_intfdata(), it will simply return NULL.  But 
this can happen even with the first patch applied, if the user tries to 
access disable_store() during the brief time between when hdev->maxchild 
is set to 0 and when the port devices are removed.

The true fix is simply to check whether the return value from 
usb_hub_to_struct_hub() is NULL, which is what this patch does.

> I applied this patch and it also can fix the warning. I am not sure
> which one is better.

I'm quite sure that this one is better.  I will submit it shortly, with 
your Tested-by:.

Thanks a lot; the work you have done on this has been a big help.

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ