leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
310e75c72f
linux/drivers/char
History
Ziyang Xuan 15c9a35909 char: xillybus: fix msg_ep UAF in xillyusb_probe() 
When endpoint_alloc() return failed in xillyusb_setup_base_eps(),
'xdev->msg_ep' will be freed but not set to NULL. That lets program
enter fail handling to cleanup_dev() in xillyusb_probe(). Check for
'xdev->msg_ep' is invalid in cleanup_dev() because 'xdev->msg_ep' did
not set to NULL when was freed. So the UAF problem for 'xdev->msg_ep'
is triggered.

==================================================================
BUG: KASAN: use-after-free in fifo_mem_release+0x1f4/0x210
CPU: 0 PID: 166 Comm: kworker/0:2 Not tainted 5.15.0-rc5+ #19
Call Trace:
 dump_stack_lvl+0xe2/0x152
 print_address_description.constprop.0+0x21/0x140
 ? fifo_mem_release+0x1f4/0x210
 kasan_report.cold+0x7f/0x11b
 ? xillyusb_probe+0x530/0x700
 ? fifo_mem_release+0x1f4/0x210
 fifo_mem_release+0x1f4/0x210
 ? __sanitizer_cov_trace_pc+0x1d/0x50
 endpoint_dealloc+0x35/0x2b0
 cleanup_dev+0x90/0x120
 xillyusb_probe+0x59a/0x700
...

Freed by task 166:
 kasan_save_stack+0x1b/0x40
 kasan_set_track+0x1c/0x30
 kasan_set_free_info+0x20/0x30
 __kasan_slab_free+0x109/0x140
 kfree+0x117/0x4c0
 xillyusb_probe+0x606/0x700

Set 'xdev->msg_ep' to NULL after being freed in xillyusb_setup_base_eps()
to fix the UAF problem.

Fixes: a53d1202ae ("char: xillybus: Add driver for XillyUSB (Xillybus variant for USB)")
Cc: stable <stable@vger.kernel.org>
Acked-by: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/r/20211016052047.1611983-1-william.xuanziyang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-19 09:40:18 +02:00
..
agp parisc: parisc-agp requires SBA IOMMU driver 2021-04-06 11:46:39 +02:00
hw_random hwrng: Add Arm SMCCC TRNG based driver 2021-08-06 19:45:26 +08:00
ipmi IPMI: A couple of very minor fixes for style and rate limiting 2021-09-12 11:44:58 -07:00
mwave char: mware: fix returnvar.cocci warnings 2021-08-27 16:20:37 +02:00
pcmcia TTY / Serial patches for 5.15-rc1 2021-09-01 09:51:16 -07:00
tpm tpm: ibmvtpm: Avoid error message when process gets signal while waiting 2021-08-23 19:55:42 +03:00
xilinx_hwicap treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
xillybus char: xillybus: fix msg_ep UAF in xillyusb_probe() 2021-10-19 09:40:18 +02:00
adi.c
apm-emulation.c
applicom.c Merge 5.12-rc6 into char-misc-next 2021-04-05 08:43:50 +02:00
applicom.h
bsr.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
ds1620.c
dsp56k.c
dtlk.c
hangcheck-timer.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 405 2019-06-05 17:37:13 +02:00
hpet.c char: hpet: Remove unused variable 'm' 2021-05-21 10:09:30 +02:00
Kconfig char: move RANDOM_TRUST_CPU & RANDOM_TRUST_BOOTLOADER into the Character devices menu 2021-08-16 19:02:19 +02:00
lp.c char: lp: remove redundant space around (inside) parenthesized expressions 2021-03-24 08:26:32 +01:00
Makefile remove the raw driver 2021-06-04 15:35:03 +02:00
mem.c /dev/mem: nowait zero/null ops 2021-09-14 10:46:19 +02:00
misc.c char: misc: increase DYNAMIC_MINORS value 2020-11-03 09:52:04 +01:00
mspec.c char: mspec: Use kvzalloc() in mspec_mmap() 2020-08-28 12:10:04 +02:00
nsc_gpio.c
nvram.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
nwbutton.c
nwbutton.h misc: cleanup minor number definitions in c file into miscdevice.h 2020-03-18 12:27:03 +01:00
nwflash.c misc: move FLASH_MINOR into miscdevice.h and fix conflicts 2020-03-18 12:27:04 +01:00
pc8736x_gpio.c
powernv-op-panel.c powerpc/powernv: Fix fall-through warning for Clang 2021-07-13 19:21:41 -05:00
ppdev.c ppdev: Distribute switch variables for initialization 2020-02-23 20:28:12 +01:00
ps3flash.c powerpc/ps3: make system bus's remove and shutdown callbacks return void 2020-12-04 01:01:22 +11:00
random.c random: remove dead code left over from blocking pool 2021-04-02 18:28:12 +11:00
scx200_gpio.c
sonypi.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tb0219.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
tlclk.c drivers: char: tlclk.c: Avoid data race between init and interrupt handler 2020-04-23 16:55:24 +02:00
toshiba.c module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
ttyprintk.c tty: drop put_tty_driver 2021-07-27 12:17:21 +02:00
uv_mmtimer.c
virtio_console.c virtio_console: Assure used length from device is limited 2021-07-03 04:50:53 -04:00