lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <166555665860.24262.6193967689608839339.kvalo@kernel.org>
Date:   Wed, 12 Oct 2022 06:37:40 +0000 (UTC)
From:   Kalle Valo <kvalo@...nel.org>
To:     Shigeru Yoshida <syoshida@...hat.com>
Cc:     pontus.fuchs@...il.com, davem@...emloft.net, edumazet@...gle.com,
        kuba@...nel.org, pabeni@...hat.com, linux-wireless@...r.kernel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com,
        Shigeru Yoshida <syoshida@...hat.com>,
        syzbot+95001b1fd6dfcc716c29@...kaller.appspotmail.com
Subject: Re: [PATCH] ar5523: Fix use-after-free on ar5523_cmd() timed out

Shigeru Yoshida <syoshida@...hat.com> wrote:

> syzkaller reported use-after-free with the stack trace like below [1]:
> 
> [   38.960489][    C3] ==================================================================
> [   38.963216][    C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240
> [   38.964950][    C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0
> [   38.966363][    C3]
> [   38.967053][    C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18
> [   38.968464][    C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
> [   38.969959][    C3] Call Trace:
> [   38.970841][    C3]  <IRQ>
> [   38.971663][    C3]  dump_stack_lvl+0xfc/0x174
> [   38.972620][    C3]  print_report.cold+0x2c3/0x752
> [   38.973626][    C3]  ? ar5523_cmd_tx_cb+0x220/0x240
> [   38.974644][    C3]  kasan_report+0xb1/0x1d0
> [   38.975720][    C3]  ? ar5523_cmd_tx_cb+0x220/0x240
> [   38.976831][    C3]  ar5523_cmd_tx_cb+0x220/0x240
> [   38.978412][    C3]  __usb_hcd_giveback_urb+0x353/0x5b0
> [   38.979755][    C3]  usb_hcd_giveback_urb+0x385/0x430
> [   38.981266][    C3]  dummy_timer+0x140c/0x34e0
> [   38.982925][    C3]  ? notifier_call_chain+0xb5/0x1e0
> [   38.984761][    C3]  ? rcu_read_lock_sched_held+0xb/0x60
> [   38.986242][    C3]  ? lock_release+0x51c/0x790
> [   38.987323][    C3]  ? _raw_read_unlock_irqrestore+0x37/0x70
> [   38.988483][    C3]  ? __wake_up_common_lock+0xde/0x130
> [   38.989621][    C3]  ? reacquire_held_locks+0x4a0/0x4a0
> [   38.990777][    C3]  ? lock_acquire+0x472/0x550
> [   38.991919][    C3]  ? rcu_read_lock_sched_held+0xb/0x60
> [   38.993138][    C3]  ? lock_acquire+0x472/0x550
> [   38.994890][    C3]  ? dummy_urb_enqueue+0x860/0x860
> [   38.996266][    C3]  ? do_raw_spin_unlock+0x16f/0x230
> [   38.997670][    C3]  ? dummy_urb_enqueue+0x860/0x860
> [   38.999116][    C3]  call_timer_fn+0x1a0/0x6a0
> [   39.000668][    C3]  ? add_timer_on+0x4a0/0x4a0
> [   39.002137][    C3]  ? reacquire_held_locks+0x4a0/0x4a0
> [   39.003809][    C3]  ? __next_timer_interrupt+0x226/0x2a0
> [   39.005509][    C3]  __run_timers.part.0+0x69a/0xac0
> [   39.007025][    C3]  ? dummy_urb_enqueue+0x860/0x860
> [   39.008716][    C3]  ? call_timer_fn+0x6a0/0x6a0
> [   39.010254][    C3]  ? cpuacct_percpu_seq_show+0x10/0x10
> [   39.011795][    C3]  ? kvm_sched_clock_read+0x14/0x40
> [   39.013277][    C3]  ? sched_clock_cpu+0x69/0x2b0
> [   39.014724][    C3]  run_timer_softirq+0xb6/0x1d0
> [   39.016196][    C3]  __do_softirq+0x1d2/0x9be
> [   39.017616][    C3]  __irq_exit_rcu+0xeb/0x190
> [   39.019004][    C3]  irq_exit_rcu+0x5/0x20
> [   39.020361][    C3]  sysvec_apic_timer_interrupt+0x8f/0xb0
> [   39.021965][    C3]  </IRQ>
> [   39.023237][    C3]  <TASK>
> 
> In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below
> (there are other functions which finally call ar5523_cmd()):
> 
> ar5523_probe()
> -> ar5523_host_available()
>    -> ar5523_cmd_read()
>       -> ar5523_cmd()
> 
> If ar5523_cmd() timed out, then ar5523_host_available() failed and
> ar5523_probe() freed the device structure.  So, ar5523_cmd_tx_cb()
> might touch the freed structure.
> 
> This patch fixes this issue by canceling in-flight tx cmd if submitted
> urb timed out.
> 
> Link: https://syzkaller.appspot.com/bug?id=9e12b2d54300842b71bdd18b54971385ff0d0d3a [1]
> Reported-by: syzbot+95001b1fd6dfcc716c29@...kaller.appspotmail.com
> Signed-off-by: Shigeru Yoshida <syoshida@...hat.com>
> Signed-off-by: Kalle Valo <quic_kvalo@...cinc.com>

Patch applied to ath-next branch of ath.git, thanks.

b6702a942a06 wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/20221009183223.420015-1-syoshida@redhat.com/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Powered by blists - more mailing lists