Re: usb/gadget: use-after-free in gadgetfs_setup

Wed, 07 Dec 2016 03:42:08 -0800 

On Tue, Dec 6, 2016 at 9:30 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> [CC: list drastically trimmed]
>
> On Tue, 6 Dec 2016, Andrey Konovalov wrote:
>
>> On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov <andreyk...@google.com> 
>> wrote:
>> > On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern <st...@rowland.harvard.edu> 
>> > wrote:
>> >> On Mon, 5 Dec 2016, Andrey Konovalov wrote:
>> >>
>> >>> Hi!
>> >>>
>> >>> I've got the following error report while running the syzkaller fuzzer.
>> >>>
>> >>> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2).
>> >>>
>> >>> BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr
>> >>> ffff88003dfe5bf2
>
>> >> Can you test whether the patch below fixes this problem?
>> >
>> > Hi Alan,
>> >
>> > Yes, I believe it does.
>> > It also seems to fix the warnings in dummy_free_request() I've been 
>> > getting.
>>
>> It seems that I was wrong. Still see both use-after-free and warnings.
>
> You posted three messages about possibly related problems:
>
>         use-after-free in gadgetfs_setup (this one),
>
>         GPF in usb_gadget_unregister_driver,
>
>         warning in dummy_free_request.
>
> Are you saying the patch below didn't fix any of them?

No, as far as I can see.

>
> And in any case, is there any way you can post the series of system
> calls that syzkaller makes so we can tell what went wrong?

I've attached a reproducer for a use-after-free in gadgetfs_setup().
You need to enable KASAN to see the reports.

Thanks for looking at this!

>
> Alan Stern
>
>> >> Index: usb-4.x/drivers/usb/gadget/legacy/inode.c
>> >> ===================================================================
>> >> --- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c
>> >> +++ usb-4.x/drivers/usb/gadget/legacy/inode.c
>> >> @@ -1762,6 +1762,10 @@ dev_config (struct file *fd, const char
>> >>         }
>> >>         spin_unlock_irq(&dev->lock);
>> >>
>> >> +       /* Registered but not yet bound to a UDC driver? */
>> >> +       if (dev->gadget_registered)
>> >> +               return -EIO;
>> >> +
>> >>         if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
>> >>                 return -EINVAL;
>> >>
>

Attachment: gadget-setup-uaf-poc.c
Description: Binary data

Reply via email to