lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250902125549.03f22bcf.michal.pecio@gmail.com>
Date: Tue, 2 Sep 2025 12:55:49 +0200
From: Michał Pecio <michal.pecio@...il.com>
To: Mathias Nyman <mathias.nyman@...ux.intel.com>
Cc: David Wang <00107082@....com>, WeitaoWang-oc@...oxin.com,
 gregkh@...uxfoundation.org, linux-usb@...r.kernel.org,
 regressions@...ts.linux.dev, linux-kernel@...r.kernel.org,
 surenb@...gle.com, kent.overstreet@...ux.dev
Subject: Re: [PATCH] usb: xhci: Fix xhci_free_virt_devices_depth_first()

On Tue, 2 Sep 2025 13:13:12 +0300, Mathias Nyman wrote:
> On 2.9.2025 12.07, Michał Pecio wrote:
> > On Tue, 2 Sep 2025 10:46:30 +0200, Michał Pecio wrote:  
> >> On Tue, 2 Sep 2025 16:30:48 +0800 (CST), David Wang wrote:  
> >>> About the change from "<" to "<=", I did not observe any difference on my system. Is it because my system does not use up all slots?  
> >>
> >> This too, you would need to fiddle with devices (or connect enough
> >> of them) to reach Slot ID 255 (probably the highest on most systems),
> >> depending on the xHCI controller and its ID allocation policy.  
> > 
> > This made me wonder what those policies are. I'm too lazy for thorough
> > testing, but I plugged and unplugged the same device a few times.
> > 
> > Most HCs kept assigning ID 1, so they likely always pick the lowest.
> > 
> > My AMD chipset, two ASMedia USB 3.1 controllers and a Fresco FL1100
> > kept assigning sequentially increasing IDs, so I suppose I could pump
> > it up near the top, connect two high speed hubs and trigger this bug.
> >   
> >> But also as explained, this bug doesn't make things go boom just yet.
> >>
> >> Except if combined with your bug in an obscure edge case:
> >>
> >> 1. A high speed hub has slot ID HCS_MAX_SLOTS-1 and some TT children.
> >> 2. Another high speed hub has slot ID HCS_MAX_SLOTS.
> >> 3. We start with freeing the second hub.
> >> 4. The loop is entered and leaves vdev pointing at the first hub.
> >> 5. The first hub is freed instead of the second one.
> >> 6. Then its children are freed and UAF its tt_info.  
> 
> I'm not sure I follow the above.
> 
> I agree that changing the "<" to "<=" makes sense, but fortunately for us there shouldn't be any
> issue with current implementation as xhci_free_virt_devices_depth_first() is called with highest possible
> slot_id value first:
> 
> in xhci-memm.c:
>   for (i = HCS_MAX_SLOTS(xhci->hcs_params1); i > 0; i--)
>                  xhci_free_virt_devices_depth_first(xhci, i);
> 
> if HCS_MAX_SLOTS slot_id is a hs-hub then all its children have slot_id < HCS_MAX_SLOTS,
> and loop works fine.

The loop works fine, but it exists with vdev pointing at MAX_SLOTS-1
due to off by one and then this happens:

	xhci_free_virt_device(xhci, vdev, slot_id);

which means:

	xhci_free_virt_device(xhci, xhci->devs[MAX_SLOTS-1], MAX_SLOTS);

If MAX_SLOTS-1 is a high speed hub, it will be freed right now, without
freeing its children first.

And whatever this device is, it will be freed without nulling
xhci->devs[MAX_SLOTS-1], which might cause other UAF later (not sure).

I think it's possible, though I haven't tried actually triggering it.
The problem didn't exist before this recent patch.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ