| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250902125549.03f22bcf.michal.pecio@gmail.com> Date: Tue, 2 Sep 2025 12:55:49 +0200 From: Michał Pecio <michal.pecio@...il.com> To: Mathias Nyman <mathias.nyman@...ux.intel.com> Cc: David Wang <00107082@....com>, WeitaoWang-oc@...oxin.com, gregkh@...uxfoundation.org, linux-usb@...r.kernel.org, regressions@...ts.linux.dev, linux-kernel@...r.kernel.org, surenb@...gle.com, kent.overstreet@...ux.dev Subject: Re: [PATCH] usb: xhci: Fix xhci_free_virt_devices_depth_first() On Tue, 2 Sep 2025 13:13:12 +0300, Mathias Nyman wrote: > On 2.9.2025 12.07, Michał Pecio wrote: > > On Tue, 2 Sep 2025 10:46:30 +0200, Michał Pecio wrote: > >> On Tue, 2 Sep 2025 16:30:48 +0800 (CST), David Wang wrote: > >>> About the change from "<" to "<=", I did not observe any difference on my system. Is it because my system does not use up all slots? > >> > >> This too, you would need to fiddle with devices (or connect enough > >> of them) to reach Slot ID 255 (probably the highest on most systems), > >> depending on the xHCI controller and its ID allocation policy. > > > > This made me wonder what those policies are. I'm too lazy for thorough > > testing, but I plugged and unplugged the same device a few times. > > > > Most HCs kept assigning ID 1, so they likely always pick the lowest. > > > > My AMD chipset, two ASMedia USB 3.1 controllers and a Fresco FL1100 > > kept assigning sequentially increasing IDs, so I suppose I could pump > > it up near the top, connect two high speed hubs and trigger this bug. > > > >> But also as explained, this bug doesn't make things go boom just yet. > >> > >> Except if combined with your bug in an obscure edge case: > >> > >> 1. A high speed hub has slot ID HCS_MAX_SLOTS-1 and some TT children. > >> 2. Another high speed hub has slot ID HCS_MAX_SLOTS. > >> 3. We start with freeing the second hub. > >> 4. The loop is entered and leaves vdev pointing at the first hub. > >> 5. The first hub is freed instead of the second one. > >> 6. Then its children are freed and UAF its tt_info. > > I'm not sure I follow the above. > > I agree that changing the "<" to "<=" makes sense, but fortunately for us there shouldn't be any > issue with current implementation as xhci_free_virt_devices_depth_first() is called with highest possible > slot_id value first: > > in xhci-memm.c: > for (i = HCS_MAX_SLOTS(xhci->hcs_params1); i > 0; i--) > xhci_free_virt_devices_depth_first(xhci, i); > > if HCS_MAX_SLOTS slot_id is a hs-hub then all its children have slot_id < HCS_MAX_SLOTS, > and loop works fine. The loop works fine, but it exists with vdev pointing at MAX_SLOTS-1 due to off by one and then this happens: xhci_free_virt_device(xhci, vdev, slot_id); which means: xhci_free_virt_device(xhci, xhci->devs[MAX_SLOTS-1], MAX_SLOTS); If MAX_SLOTS-1 is a high speed hub, it will be freed right now, without freeing its children first. And whatever this device is, it will be freed without nulling xhci->devs[MAX_SLOTS-1], which might cause other UAF later (not sure). I think it's possible, though I haven't tried actually triggering it. The problem didn't exist before this recent patch.
Powered by blists - more mailing lists