lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87o6qw9koa.wl-tiwai@suse.de>
Date: Sat, 27 Sep 2025 13:52:53 +0200
From: Takashi Iwai <tiwai@...e.de>
To: Jeongjun Park <aha310510@...il.com>
Cc: syzbot <syzbot+f02665daa2abeef4a947@...kaller.appspotmail.com>,
	clemens@...isch.de,
	hdanton@...a.com,
	linux-kernel@...r.kernel.org,
	linux-sound@...r.kernel.org,
	perex@...ex.cz,
	syzkaller-bugs@...glegroups.com,
	tiwai@...e.de
Subject: Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

On Sat, 27 Sep 2025 12:36:07 +0200,
Jeongjun Park wrote:
> 
> syzbot <syzbot+f02665daa2abeef4a947@...kaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
> >
> > ==================================================================
> > BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
> > Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
> >
> 
> Wow, the UAF bug still occurs?
> 
> But... this UAF seems to be a problem with how midi handles urb rather
> than a problem with my patch.
> 
> Is there something wrong with the way snd_usbmidi_in_urb_complete() is
> implemented?

This can be rather a missing kill-and-cleanup in the code path.
So the patch like below.

Could you check whether this works for you instead of your fix, too?
timer_shutdown_sync() is already called in snd_usbmidi_disconnect(),
and the call in snd_usbmidi_free() should be superfluous after this
change.


thanks,

Takashi

--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
 {
 	int i;
 
+	if (!umidi->disconnected)
+		snd_usbmidi_disconnect(&umidi->list);
+
 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
 		if (ep->out)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ