Re: [PATCH 1/2] USB: serial: console: fix use-after-free on disconnect

[Johan Hovold]

On Mon, Oct 09, 2017 at 01:05:30PM +0200, Andrey Konovalov wrote:
> On Wed, Oct 4, 2017 at 11:01 AM, Johan Hovold  wrote:
> > A clean-up patch removing removing two redundant NULL-checks from the
> > console disconnect handler inadvertently also removed a third check.
> > This could lead to the struct usb_serial being prematurely freed by the
> > console code when a driver accepts but does not register any ports for
> > an interface which also lacks endpoint descriptors.
> >
> > Fixes: 0e517c93dc02 ("USB: serial: console: clean up sanity checks")
> > Cc: stable  # 4.11
> > Reported-by: Andrey Konovalov 
> 
> Tested-by: Andrey Konovalov 
> 
> This fixes the crash.

I just forwarded this one in a pull-request to Greg, but thanks for
testing nonetheless.

Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2] USB: serial: console: fix use-after-free on disconnect

[Andrey Konovalov]

On Wed, Oct 4, 2017 at 11:01 AM, Johan Hovold  wrote:
> A clean-up patch removing removing two redundant NULL-checks from the
> console disconnect handler inadvertently also removed a third check.
> This could lead to the struct usb_serial being prematurely freed by the
> console code when a driver accepts but does not register any ports for
> an interface which also lacks endpoint descriptors.
>
> Fixes: 0e517c93dc02 ("USB: serial: console: clean up sanity checks")
> Cc: stable  # 4.11
> Reported-by: Andrey Konovalov 

Tested-by: Andrey Konovalov 

This fixes the crash.

Thanks!

> Signed-off-by: Johan Hovold 
> ---
>  drivers/usb/serial/console.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
> index fdf89800ebc3..ed8ba3ef5c79 100644
> --- a/drivers/usb/serial/console.c
> +++ b/drivers/usb/serial/console.c
> @@ -265,7 +265,7 @@ static struct console usbcons = {
>
>  void usb_serial_console_disconnect(struct usb_serial *serial)
>  {
> -   if (serial->port[0] == usbcons_info.port) {
> +   if (serial->port[0] && serial->port[0] == usbcons_info.port) {
> usb_serial_console_exit();
> usb_serial_put(serial);
> }
> --
> 2.14.2
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2] USB: serial: console: fix use-after-free on disconnect

[Johan Hovold]

On Sat, Oct 07, 2017 at 05:56:17PM +0900, Jaejoong Kim wrote:
> Hi
> 
> 2017-10-04 18:01 GMT+09:00 Johan Hovold :
> > A clean-up patch removing removing two redundant NULL-checks from the
>^^
> The word 'removing' was written twice. :)

Thanks for noticing, now fixed up.

Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2] USB: serial: console: fix use-after-free on disconnect

[Jaejoong Kim]

Hi

2017-10-04 18:01 GMT+09:00 Johan Hovold :
> A clean-up patch removing removing two redundant NULL-checks from the
   ^^
The word 'removing' was written twice. :)

> console disconnect handler inadvertently also removed a third check.
> This could lead to the struct usb_serial being prematurely freed by the
> console code when a driver accepts but does not register any ports for
> an interface which also lacks endpoint descriptors.
>
> Fixes: 0e517c93dc02 ("USB: serial: console: clean up sanity checks")
> Cc: stable  # 4.11
> Reported-by: Andrey Konovalov 
> Signed-off-by: Johan Hovold 
> ---
>  drivers/usb/serial/console.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
> index fdf89800ebc3..ed8ba3ef5c79 100644
> --- a/drivers/usb/serial/console.c
> +++ b/drivers/usb/serial/console.c
> @@ -265,7 +265,7 @@ static struct console usbcons = {
>
>  void usb_serial_console_disconnect(struct usb_serial *serial)
>  {
> -   if (serial->port[0] == usbcons_info.port) {
> +   if (serial->port[0] && serial->port[0] == usbcons_info.port) {
> usb_serial_console_exit();
> usb_serial_put(serial);
> }
> --
> 2.14.2
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-usb" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2] USB: serial: console: fix use-after-free on disconnect

[Greg KH]

On Wed, Oct 04, 2017 at 11:01:12AM +0200, Johan Hovold wrote:
> A clean-up patch removing removing two redundant NULL-checks from the
> console disconnect handler inadvertently also removed a third check.
> This could lead to the struct usb_serial being prematurely freed by the
> console code when a driver accepts but does not register any ports for
> an interface which also lacks endpoint descriptors.
> 
> Fixes: 0e517c93dc02 ("USB: serial: console: clean up sanity checks")
> Cc: stable  # 4.11
> Reported-by: Andrey Konovalov 
> Signed-off-by: Johan Hovold 

Acked-by: Greg Kroah-Hartman 
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html